0% found this document useful (0 votes)

19 views

Cisco Umbrella Stage Workshop Guide PDF

Uploaded by

mannymtz70wk

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

19 views

Cisco Umbrella Stage Workshop Guide PDF

Uploaded by

mannymtz70wk

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 299

Cisco Umbrella 101

Field Engineer Course

Fire Jumper Stage 3 Deployment Training

1
Course Introduction
• Overview
- This course will take a Field Engineer through deploying their first Umbrella
deployment in a controlled dCloud lab environment.

• Expectations
- Student is familiar with Umbrella and has completed Umbrella Stage 2 Deployment
track in the Fire Jumper Academy for Field Engineers
- Stage 2 knowledge is critical to your overall Umbrella learning path. The Lecture
included in this course is meant to serve as both an overview and preparation for
the included labs but is not a complete knowledge transfer.

2
Instructors
• Jamie Sanbower - [email protected]
• Usman “Uzi” Ahmed – [email protected]

3
Fire Jumper Roles

4
Fire Jumper Stages – Umbrella Field Engineer
• Stage 1 - Registration
• Stage 2 - Product Fundamentals
• Stage 3 - Instructor Led Training (ILT) Class w/ Lab YOU ARE HERE

5
Umbrella 101 Field Engineer Course Outline
• Module 1 – Fundamentals • Module 6 – SWG
• Module 2 – Deployment • Module 7 – Advanced SWG
Module 3 – Identity Module 8 – Investigate
Day 1

Day 2
• •

• Module 4 – DNS • Module 9 – Operations & Troubleshooting

• Module 5 – CDFW • Module 10 – SecureX
• Lab Scenarios 1-8 • Lab Scenarios 9-16

6
Umbrella FE Labs
1. DNS Network Protection 9. Secure Web Gateway
2. DNS Branch Protection 10. CASB / Cloud Malware
3. Active Directory Integration 11. Data Loss Prevention
Day 1

Day 2
4. Roaming Device Protection 12. Remote Browser Isolation
5. Virtual Appliances 13. Operations & Troubleshooting
6. SIG Network Tunnel 14. Investigate
7. Cloud Delivered Firewall 15. APIs & Integrations
8. Intrusion Prevention System 16. SecureX

7
Course Details

8
‣ Widget Maker with R&D, Sales,
Marketing and Executives

‣ Your First Umbrella Customer

‣ Headquarters and Branch Locations

‣ Consolidate multiple existing

security controls & devices with
Umbrella SSE

‣ Long term goal of SASE

9
Module 1
Fundamentals

10
This is how things used to work with network and security.

• All applications used to be hosted on-prem. You had to be on the corp network in
order to access them/get work done.
• Branch offices would tunnel all traffic back to the corp datacenter over MPLS –
80% of the traffic was internal
• All internet access was routed there
• And you had a complete security stack – firewall, SWG, etc. - deployed within
corporate data center or HQ

For years, this was the way that most companies deployed their network architecture
and it allowed you to have a single place for all security on your network.

11
Over the last 5 years there has been a drastic increase in Internet traffic.
Organizations have continued to adopt cloud applications and storage and are
running more of their workloads from the cloud.
Now the percentage of Internet traffic is typically higher than the internal traffic.
Backhauling all this traffic through expensive MPLS lines and VPNs doesn’t make
sense any more.

This old centralized approach forces all of the internet traffic through the single stack
of security appliances. This is leading to performance problems, impacting user
satisfaction and causing issues with SaaS adoption in many organizations.

and then to have it get backed up trying to go through the single security stack on
premise is costly and it leads to a very poor user experience.

12
Today, networks are becoming decentralized. Because of the internet and cloud, you
can connect and get work done from any device, any location, and any time.

We’re seeing the network transform as:

• More applications move to the cloud, changing the way we work
• The number of mobile/roaming workers increase
• Branch offices adopt direct internet access (DIA) or direct cloud access (DCA).
• MPLS is really expensive and broadband internet service is cheap, so many
organizations are re-architecting their network to use MPLS for only critical
apps, like voice and video, and connecting directly to the internet for all
others.
• As organizations refresh their networks to better enable DIA, they are
adopting SD-WAN or software defined wide area network technology.

But, as you move towards more direct internet access, security needs to be a major
consideration:
• You can no longer depend on your existing, on-premises security stack
• You need a way to secure your branch edge and cloud edge.

13
4out of 5
orgs are shifting to direct
internet access (DIA)

Security must adjust to this new approach

Source: ESG Research Survey, Cisco Secure Internet Gateway Survey, January 2019

We commissioned primary research with ESG focused on validating trends in the

market, customer perceptions, and current technology consumption patterns for
securing remote workers and locations

Based on this research:

• DIA & SD-WAN are pervasive in branch and remote offices
• 4 out of 5 organizations are shifting to direct internet access for some or all branch
and remote offices
• 76% of organizations use SD-WAN extensively or selectively

--------------------------------
Respondents info:
• 450 cybersecurity, IT and networking security professionals
• Responsibility or knowledge of branch office security responded
• With headquarters in North America and Western Europe
• With 500+ employees and $50M in annual revenue

14
We already know that the best defense is a layered approach. Umbrella has
a robust set of layered security capabilities along with the best security
efficacy in the industry.

15
Cisco Umbrella evolution
OpenDNS Umbrella Cisco Cisco Umbrella adds Cisco Umbrella adds
for Business enterprise acquisition security functionality SWG, FWaaS, and
internet CASB functionality plus
security SDWAN integration

2009 2012 2015 2017 2019 2020

DNS DNS + Set of security

resolution Security services integrated Multi-function
in the cloud security and Cloud-native
SD-WAN multi-function security
and networking

SIG
SASE
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 16

On the bottom half of this slide you see a progression of cloud delivered functionality
for internet access, security and networking. More recently there has been a much
needed move towards consolidation and simplification in these areas. A few years
ago, Secure Internet Gateway (SIG) was the hot label for a consolidated set of cloud
delivered security functions. Just last fall the concept of a Secure Access Service Edge
emerged on the scene as an even broader set of security functions combined with
edge networking functionality.

Up top, you see that Cisco has been building a multi-function cloud-based security
solution and is integrating edge networking functionality to meet market needs.
OpenDNS for business started in 2009 with DNS resolution and added the initial
security functions in 2012. After the Cisco acquisition in 2015 we continued to add to
the security capabilities of this high performance cloud native solution.
Then in 2017, we announced Umbrella as a secure internet gateway (SIG) with
multiple cloud delivered security components integrated into a single cloud service.

In the last couple of years Cisco has been adding a broader set of security
functionality within the single Umbrella cloud console. This includes a Secure Web
Gateway (SWG), firewall-as-a-service, CASB functionality and we have simplified the

16
integration with edge devices including the popular SD-WAN integration. Cisco is the
leader in both security and networking and we are uniquely qualified to bring the
best of these two worlds together in a modern, cloud-delivered format that will keep
you better protected while saving you time and money.

Let’s take a look at the evolution to SASE that Gartner has been exploring in recent
reports.

16
What is Secure Access Service Edge (SASE)?
Network as a service Security as a service

Connect it Market convergence Secure it

SASE

Content delivery/caching Cloud Access Zero Trust

Security Network
Broker (CASB) Access (ZTNA)
WAN optimization and routing
Quality of service Firewall as a Secure Web
Service (FWaaS) Gateway (SWG)
SaaS acceleration

SD-WAN SSE

At a high level, if you add a SD-WAN to an SSE architecture model, you have what
Gartner calls a Secure Access Service Edge architecture model. It’s better known as
SASE (pronounced sassy), and here is high-level illustration of what it looks like.
SASE requires little to no hardware and employs
cloud technology to combine SD-WAN with security functions,
including:

• Firewall as a service (FaaS); Secure Web Gateways; Cloud

Access Security Brokers (CASBs); Zero-Trust Network Access

17
Umbrella packages SIG Advantage

Firewall (L7 AVC; IPS) † | Inline DLP

SIG Essentials Cloud Malware Detection (all supported apps) |
Secure Malware Analytics††

L3-L4 Firewall† | Cloud Malware Detection (two apps) |

SIG for EDU File Analysis (Secure Malware Analytics): Now 500 samples/day

DNS Security
Secure Web Gateway and DNS Security Advantage
Advantage

DNS Security
Essentials Selective Web Proxy | Web Filtering | File Inspection: AV and Secure Endpoint | Investigate Console + On-demand Enrichment API
DNS for EDU: Same feature set

Umbrella DNS security: Domain Filtering, Security Blocking and App Discovery and Blocking | Network and Branch Protection (VA + AD Connector) + Roaming + Mobile User Protection |
Cisco Secure Mobility Client (AnyConnect) license for simpler roll out | Highly available, Global cloud architecture powered by Umbrella and Talos threat intelligence

24x7 access to Cisco Cloud Security Support (Cisco Software Support Enhanced: Required attach) | (Optional) Premium Support Upgrade

† Qualifies for E-Rate funding

** Also available as add-ons for SIG-Essentials
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 18
†† Secure Malware Analytics (formerly known as Threat Grid) for 3 admin users and unlimited sample submissions

18
19
Umbrella Global
Architecture

20
Born in the cloud global architecture
Rapid scalability, continuous innovation, high performance – without downtime

Containerized, multi-tenant Agile infrastructure delivers

architecture powers scalability continuous innovation without
and reliability customer downtime

Proven track record since Low latency delivers high

2006 with global data centers performance and up to
on six continents 73% latency reduction

• Containerized, multi-tenant architecture: We disaggregate functions

of traditional appliances into micro services that we recreate into to
truly cloud-native functions. That translates into great flexibility,
ability to rapidly scale and optimize performance, with reliability
• Our self-healing, automated, agile infrastructure is at the heart of
our global cloud architecture.
o Capabilities like a global load balancer and auto scale help to
transparently resolve issues and devise workarounds – without
customer intervention.
o We constantly refresh parts of infrastructure -- e.g. servers,
networks, whole data centers come in/out rotation -- but this
is invisible to end-users.
• Proven track record: Umbrella’s battle-
hardened global cloud architecture is designed,
built and run by a deeply experienced

21
team with stellar, honed-in-the-trenches skills
across security, networking, cloud-native
architecture, threat research, data science, and
more.
•Umbrella’s DNS security capability have
delivered 100% business uptime since it
was first delivered in 2006.
•We are completely transparent. Cisco
Umbrella publishes a snapshot of our current
network status and a rolling 30-day view of
various operational messages and notices
online at https://status.umbrella.com/#/
• Recent Miercom testing of typical SaaS traffic showed that Umbrella’s network
delivers up to a 73% reduction in latency when compared to a typical ISP
connection, which translates into high performance.

21
Global cloud architecture
Multiple ISPs

Customer
locations Internet exchanges
On/off network
devices
Encryption head-end

Encrypted and
Remote unencrypted traffic
users options to connect Cloud firewall SaaS apps
to Umbrella Edge

Security services
Hardware
integrations
Umbrella cloud edge Cisco Clouds

Umbrella takes traffic in from multiple sources and breaks apart and inspects that
traffic based on the security stack the customer applies. Improved performance to
the destination is provided based on the peering with our cloud partners

22
Large, global footprint keeps expanding
STO1

CPH1

F RA1

AM S1

DUB1
WRW1

YVR1
L ON1
OTP1

38 DCs in SE A1 YYZ1
M I N1 CDG1
DE N1
CHI 1

23 countries
NYC1
M AD1
PAO1 ASH1
RST1 PRG1 NRT1
L AX1 DF W1 ATL 1 M RS1
M IL1
SE O1 OSA1
M I A1 DXB1

J E D1
HKG1
M UM 1

New data centers in Reston,

M EX1 M UM 2
• CHE 1

VA and Marseille, FR SI N1

• Aggressive data center rollout

100%
continues, across Americas,
Europe and Asia
• Ability to keep U.S. traffic RI O1

only in U.S. (education, SAO1

J NB1

government, regulated entities) CPß T 1 SYD1

business uptime M EL1

since 2006
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 23

A full list of DC and planned upgrades are at the end of this deck

23
Peering across the globe
Umbrella peering accelerates application performance

Examples of peering partnerships*

• Peering lowers latency by providing SPs IaaS SaaS
more direct paths • AT&T (Global) • Alibaba • Adobe
• Bell • Amazon • Apple
• Bharti Airtel Limited • Dell Services • Baidu
• Peering from data centers to more • BT • Digital Ocean • Box
than 1,000 organizations including • Charter • Equinix • DocuSign

leading SaaS and IaaS providers •

•
China Mobile
Google Fiber
•
•
Fastly
Go Daddy
•
•
Microsoft
NS1
(always growing) • KDDI • Google • Oracle
• Rogers • Huawei Cloud • Salesforce
• Up to 50% performance increase • Swisscom • Microsoft • Square
Telkom Rackspace Webex
with key applications •
• Verizon
• •
• Dropbox
• Vodafone

When discussing performance, focusing on the number of data centers alone can be
misleading.
• Customers may falsely assume that connection
latency necessarily decreases when a vendor’s
data center is physically located closer to the
ISP data center that’s a connection point for
the customer’s network and devices.
• The shortest path between the ISP and the
vendor may require an excessive number of
intermediate stops due to a lack of peering or
transit relationships. This may still result in a
slower path between points A and B,
regardless of geographic distance.
• Peering relationships between providers

24
shorten the path that traffic travels between
them, reducing the number of routing hops,
shrinking latency, and improving performance.
• Umbrella’s 1000+ (and growing) peering
relationships significantly contribute to high
performance between customer
networks/devices, Umbrella, and content or
SaaS providers.

While Umbrella may not have data centers in China yet

(in plan!), we peer with global Chinese providers from
China to offer better service and high performance (e.g.
Baidu, Huawei Cloud, etc.).

24
Anycast routing Example
• Rock-solid reliability and availability Data center region code US-1

Los Angeles Santa Clara

• Anycast routing automatically 146.112.67.8
Primary
146.112.66.8
Secondary
selects the closest available data
center (augmented with global In case of primary failure,
geo-aware load balancer) uses secondary DC in the
same region

• Delivers best availability and

reliability
• Automates manual steps;
eliminates the need to manage
load balancers, configuration files,
or routing policies Branch

• Hybrid Anycast routing – or augmented routing – looks for ways to

deliver the best availability
• During normal operation, it just works for the best customer
experience.
o If there’s a problem, it automatically makes a new route choice
based on available DCs
• It eliminates the need for customers to manage things like load
balancers, configuration files, or routing policies
• The image shows that if the primary route or DC had a failure, a
failover to a secondary DC in the same region occurs. If that entire
region encounters a failure, then the disaster recovery site will take
over. All this is done without customer intervention.
• The expectation is within a minute for inter DC region failover
(based on worst case BGP convergence testing)
• Tertiary failover may be higher

25
Meets compliance standards

• Industry data integrity and protection • Cis co s tringent r equirements - Our

s tandards – Cisco Umbrella data centers data centers adhere to Cisco’s
meet or exceed industry standards for stringent requirements for network
security and uptime, such connectivity, security, quality, and
as Uptime Institute Tier III standards, effective risk controls, and help
ISO27001, and SOC2. the Umbrella service satisfy the
• https://learn-umbrella.cisco.com/solution- G eneral Data Protection Regulation
briefs/cisco-umbrella-soc-3-report (G DPR) requirements.
• Car rier Neutral – Umbrella selects data
center locations purely on the best
connections and quality service (not
financial relationships with carriers)

Customers are keen to follow industry compliance standards and for many
organizations, such compliance is mandatory (e.g. GDPR).

• ISO27001 / SOC2 – Umbrella data centers meet or exceed international and

industry standards such as ISO 27001 and SOC2, demonstrating Umbrella’s
commitment to security, quality, and effective risk controls

• GDPR compliance – Umbrella data centers meet or exceed Cisco's required data
protection and security standards to ensure the Umbrella Service complies with
GDPR and other applicable data protection laws

• Umbrella data centers meet or exceed Uptime Institute Tier III standards

• Carrier neutral – Umbrella selects data center locations purely on the best
connections and quality service (not financial relationships with carriers

26
Threat Intel

27
Cisco Talos Threat Intelligence
Trusted global provider of cutting-edge security research

• 400+ full-time threat

researchers and data scientists

We see more so you • 5 billion reputation requests,

2 billion malware samples
can block more and seen daily
respond faster to threats. • 5 billion category responses,
200 million IPs and URLs
blocked daily

As mentioned a few moments ago, behind Umbrella security services is aggregated,

industry-leading threat intelligence from Cisco Talos.

• It’s an elite group of over 400 security experts devoted to providing superior
protection to our customers
• You can’t protect what you can’t see; the Cisco Talos team sees more threats,
more malware, more attacks than any other security vendor in the world. The
numbers here speak for themselves.
• When you see more, you can block more

28
Statistical and machine learning models

Massive and Security Models

diverse visibility researchers

• 5B daily reputation • Award winning, industry-leading • Dozens of models continuously

requests alone researchers and analysts analyze millions of live events
per second
• 2B daily malware • Develop learning models
samples processed that automatically classify and • Automatically uncover malware,
score domains and IPs ransomware, and other threats
• 200+ new vulnerabilities
discovered per year

Simply stated: We provide unmatched threat intelligence to stop attacks earlier

Umbrella also uses statistical and machine learning models to provide the most predictive intelligence

Behind these models is massive and diverse data, and an incredible research team
• Let’s look more closely at our data: Umbrella resolves more than 580 billion
daily DNS requests across our user base. Not only is this data massive – it’s also
diverse and represents all markets, geos, and protocols. This combines with the
enormous and sophisticated threat intelligence and research capability from
Cisco Talos, the largest non-governmental threat research organization on the
planet. These two things together give us an unprecedented view of the internet.

• Our security researchers: They look at this data and

use advanced techniques like data mining and 3D
visualization to identify patterns. They are constantly
finding new ways to uncover fingerprints that
attackers leave behind and they build our models to
automatically score and classify the data.

29
• Our models: They continuously run against our data
so we can uncover malicious domains, IPs, and URLs
before they’re even used in attacks. Our security
researchers are always innovating and creating new
models to provide better threat detection and
classification.

29
Multi-faceted threat intel

Botnet 1| 2|4

Umbrella
1. Lexical Crimeware 3 | 4
Live DGA prediction
DNS
Exploit Kit 2|4

IP BGP
2. Anomaly detection
DOMAIN
Newly seen domains
SSL WHOIS Phishing 1|2|4
IP
HASH WEB
3. DNS tunnelling Investigate
ETC Ransomware 2|4

4. Graph-based
Co-occurrence model Spam 2|4

Trojan 2 |3|4

We use our statistical models, our machine learning, and our analysts to sift through
the data. First we start with all that we know about data on the left. Map domains to
Ips, apply our models (some of which are represented here) and then based on the
various models we can map them to specific threat types.

Example: the lexical model can attribute threats to Botnet or Phishing.

This data is used to protect our Umbrella DNS security customers and is ALSO used in
threat hunting, threat analysis, and incident response via our Investigate product.

Blogs of some of our models are below:

• Co-occurrences (probability distribution of the time between to consecutive DNS
connections towards two malicious
domains): https://umbrella.cisco.com/blog/2013/07/24/co-occurrences/
• DNS Tunnelling and Newly Seen
domains: https://umbrella.cisco.com/blog/2017/01/17/announcing-two-new-
security-categories-cisco-umbrella/

30
Module 2
Deployment

31
Protect on-network devices via DNS, a great
starting point

Internet gateway Internal DNS Server

208.67.222.222
Your policy
Laptop IP
Enforce all security settings Network egress IP Server IP 10.1.1.3
for 67.215.87.11 67.215.87.11 10.1.1.1
DNS server External DNS resolution
10.1.1.1 208.67.222.222

Your network

• Larger networks often already point all devices to an internal DNS server such as
Windows or BIND
• Again, a single IP change will forward only external DNS traffic to the Umbrella
global network
• We do not replace it or impact any of your internal DNS resolutions
• There are easier DNS device integration, like with Viptela not depicted here

32
Enterprise-wide
deployment
in minutes

Existing Network footprint Endpoint footprint

DNS/DHCP ISR1K SD-WAN WLC Meraki AnyConnect Cisco Umbrella

servers, and 4K (Viptela) MR roaming Security Chromebook
Wi-Fi APs module Connector client
• Provisioning and policies per VLAN/SSID;
Simple config tags for granular filtering and reporting Granular filtering and reporting
change to on- & off-network (Umbrella
redirect DNS • Out-of-the-box integration roaming client also available)
(Umbrella virtual appliance also available)

- Through our built-in integrations with Cisco gear, you can use your existing Cisco
footprint to quickly provision thousands of network egresses and roaming laptops
– protecting your off-network users, branch users, and Wi-Fi users in minutes.
- We have integrations today with AnyConnect, ISR 1K and 4K devices, and new in
February — Cisco Wireless LAN controllers.
- For ISR 4K and WLAN controllers, you can set different policies for different VLANs.
So servers vs. workstations or with the Wireless LAN controllers - employee vs
guest Wi-Fi

33
Overview: Typical DNS Deployment Components
AD Server
w/AD connector

Associates
CEO with
EXEC group Associates CEO
(via HTTPS with 10.1.1.3
push) Internal
Internet gateway
Umbrella VA DNS Server
208.67.222.222
Appliance IP DHCP IP
Your policy Network egress IP 10.1.1.2 10.1.1.1
Enforce all security settings for 67.215.87.11 Inserts 10.1.1.3, DNS server
EXEC group DNS server GUID and Org ID 10.1.1.1
10.1.1.1 in EDNS request,Internal domains Laptop IP
(GUID = CEO, a member of EXEC group) encrypts and office.acme.com 10.1.1.3
forwards

Roaming CEO
Embed unique device
ID and GUID (if AD) Laptop
in EDNS request,
encrypts and forwards AnyConnect RSM YOUR NETWORK
or Umbrella RC
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 34

• In addition to our virtual appliance, you can have even greater granularity by using
our Active Directory (AD) connector
• Our Connector enables you to pinpoint infections by AD computer or user name,
or set policies by AD group membership, instead of internal subnets and IPs
• Deploy this auto-updated, read-only software on an Active Directory domain
controller or a separate Windows server domain member
• The Connector syncs only the user and computer group memberships to our
service under just your account using HTTPS
• When users authenticate, it also tells our VA the AD user, AD computer and the
internal IP of the device where they authenticated from
• When devices make DNS requests, the VA, which can see its internal IP, can now
insert the AD user and computer name to
• We do that using a globally unique identifier, which gets translated back into the
real AD user or computer name in our dashboard

34
Overview: Identity &
Deployment Types

DOMAIN REQUEST

IP RESPONSE

CONNECTION
HTTP/S
Securely embed identities within query Web-based redirects transparent to
using a RFC-compliant mechanism, user enable same identity for proxy
differing granularity based on deployment

NETWORK VIA EGRESS IP FOR ALL DEPLOYMENT S

+ + +
Umbrella Your DNS or Umbrella roaming Umbrella Umbrella AD Umbrella virtual Umbrella API for
deployments DHCP server client (RC) Chromebook client Connector appliance (VA) network devices

Hostname (GA) Internal IPs

Internal IPs *Usernames Network
Umbrella
N/A Internal IPs (LA) with groups Subnets device names
identities
Usernames for RC and VA or VLAN IDs
Usernames* (LA) Usernames*

We’ve mentioned identities several times, so here’s how they’re made available
through various existing and new Umbrella deployments.

For every deployment, we’ll always know the egress IP if you’d like to provision your
networks as an identity in your policies. But for greater granularity, we offer both our
own stand-alone endpoint and network footprints as well as integrations with Cisco’s
and many customer’s existing footprints.

35
Flexible SIG connection methods

IPsec Proxy chain or Cisco Secure Client

tunnel* Cloud PAC File (AnyConnect)
CDFW & Web Web only Web & DNS

HQ & Branch HQ & Branch Roaming

There are a variety of ways to send traffic to Umbrella.

Cloud delivered firewall and SWG traffic can be sent from a variety of devices via an
IPsec tunnel.
A proxy chain or PAC file approach can be used to forward web traffic to the SWG. (In
order to use PAC file or Proxy Chaining you must first point your DNS to Umbrella to
be able to resolve to the closest SWG DC. Using only an IP for PAC files is supported
but comes at the expense of some HA capabilities.)
The Cisco Secure Client (AnyConnect) agent can be used to send both web traffic and
DNS traffic to Umbrella.

Let’s look at some more details on different types of traffic.

36
Traffic Redirection Methods

DNS Redirection DNS Resolvers

Selective Proxy

IPsec Tunnel Cloud Delivered Internet

Firewall

AnyConnect
Secure Web
PAC File
Gateway
Proxy Chaining
Traffic Orchestrator
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 37

Numerous integration types, 3 main principles

3 main entry points into umbrella

based on this understanding, this we will start building the policies

37
Policy Enforcement Internet/
SaaS

DNS CDFW NAT

Allow -> Allow web -> SWG Port 21

CDFW
Allow others -> allow
80/443
Block -> block
Block -> block
DNS CDFW SWG

Umbrella

CASB SWG DNS, CDFW, and SWG blocks

Allow -> allow Allow ->

CASB
Block -> block
Block -> block
SD-WAN DEVICES ON NETWORK

Depending on the deployment method one or more policies (enforcement engines)

will applied, it could be DNS only (mobile devices), DNS and SWG (AnyConnect), SWG
only (PAC, Proxy chaining), CDFW and SWG (tunnels), DNS/SWG/CDFW (tunnel) and
many other combinations, if all enforcement methods applied the about logic would
apply (DNS > CDFW > SWG > CASB)

38
Order of operation – rule match view

DNS Policy Allow

Firewall Policy

web non-web

WEB Policy
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 39

IMPORTANT :

- identity in DNS and WEB

- first match only

Do not replicate existing multiple match policies from the proxy

Zoom into single rules ...

39
Order of operations – policy component view
DNS Policy Rule Firewall Policy Rule WEB Policy Rule
Security Settings Security Settings

Content Settings Source Tunnel Content Settings

Application Settings Source Application Settings

Protocol/IP/Port

Selective Proxy Application Tennant Control

Destination
File Analysis File Security
Protocol/IP/Port

Leave SECURITY settings ON

DNS is control layer protocol

WEB is inline

Consider the following :

is Selective proxy needed?

What is the difference between Application and Content

40
Content Categories - DNS versus WEB

DNS Content Category WEB Content Category

• Must decide on domain alone • Classification is based on URL

Online Communities www.example.com Online Communities

Online Communities www.example.com/sports Sports
Online Communities www.example.com/adult Adult content

umbrella distinguishes between DNS and WEB categories. they are not similar but not
100% the same. the reasons for this are historical.

41
Application settings – DNS versus WEB

DNS and WEB policy can block WEB policy can also control
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 42

similar thing about Application Control - DNS can detect an block, while WEB adds
more fine grained controls by limiting specific application functionality.

42
Proxy – Selective vs Full
PROXY Selective (DNS) Full (WEB)
Traffic being proxied Only graylist All
TLS decryption Yes Yes
Customer Certificate No Yes
Per Category,
Decryption exceptions Per Category
Application, Domain
Application control No Yes
File Type control No Yes
AV and AMP and
File Security AV and AMP
Sandbox
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 43

43
Policy Best Practices – with full SIG integration
• DNS Policy • Firewall Policy • WEB Policy

• Focus on Threat • Keep it a simple - Identity

Defence global policy - File security
- Granular App Control
• Do not duplicate • Focus on filtering
- Tennant controls
WEB controls unwanted apps
destinations and - HTTPS decryption
• Do you really need protocols
identity here ?

44
Policy example
Endpoint Location DNS CDFW SWG Note
Win10 PC HQ Yes No No Added layer to
existing security
(Network) (Phase2) (Phase2) stack

AnyConnect
Win10 PC Roaming Yes No Yes
SD-WAN
Win10 PC Branch Yes Yes Yes
Security Settings Source Tunnel Security Settings
AnyConnect
Source Trusted
Content Settings Content Settings
Protocol/IP/Port Network
Detection
Application Settings Application App. Settings
Destination
Selective Proxy Tennant Controls
Protocol/IP/Port

File Analysis File Security

Putting it all together, focus on the snippet with Win10 PC for the sake of space

… now one thing we have not tackled still is the human touch, we have not spoken
about identity.

45
Deployment
Fundamentals

46
Deployment Checklist for DNS Security
https://learn-cloudsecurity.cis co.com/ umbrella-resources/ umbrella/deployment-checklist-for-d ns-securi ty-packages

47
Deployment Checklist for DNS Security
https://learn-cloudsecurity.cis co.com/ umbrella-resources/ umbrella/deployment-checklist-for-d ns-securi ty-packages

48
Deployment Checklist for SIG Security
https://learn-cloudsecurity.cis co.com/ umbrella-resources/ umbrella/deployment-checklist-for-sig-security-p ackages

49
Deployment Checklist for SIG Security
https://learn-cloudsecurity.cis co.com/ umbrella-resources/ umbrella/deployment-checklist-for-sig-security-p ackages

50
Deployment Checklist for SIG Security
https://learn-cloudsecurity.cis co.com/ umbrella-resources/ umbrella/deployment-checklist-for-sig-security-p ackages

51
Project Delivery
Keys to Success:
• Well Defined Scope
• What’s in-scope, and What’s not…
• “Scope creep” is common

• Clear Roles & Responsibilities

• Single Customer point of contact - PM

• Customer Involvement and Communication

• Multiple teams – Identity, Helpdesk, Security, AD, Endpoints
• Executive Sponsor

• Clear Use Cases

52
Project Delivery
Keys to Success:
• Define Success at Project Start

• Follow Project Timelines & Milestones

• Pilot and Formal Customer validation before Production Deployment

• Define & follow formal test criteria

• Provide Documentation

• Include Knowledge Transfer (may include multiple teams)

53
In-Scope Documentation
• Hig h Level Design (HLD) – Presents requirements and build details
• Statement Of Work (SOW) – Defines expectations and success criteria
• Defines Scope, Milestones, Deliverables and Customer vs. Partner Responsibilities

• Bill Of Materials (BOM) – What products have been purchased

• Project Customer checklist – Information needed for project to commence

• Contacts, access, site details, appliance and licensing info, etc.

• A s-Built – Final documentation for customer consumption

You may see many different documents as part of an Duo implementation

project, here are some examples.

54
Deployment Planning &
Design

55
Deployment Planning
Information to collect

What do we protect : Tools at our disposal :

• Which users ? - DNS only

iterate - WEB only
• Which devices ?
- DNS + WEB
• Which locations ? - DNS + WEB + CDFW
- Existing tools ?

DNS only – for roaming iOS/Android or basic DNS

WEB only – for PAC File, Proxy Chaining forwarding
DNS+ WEB – for roaming AnyConnect PC/Mac

DNS + WEB + CDFW – for IPsec forwarding

56
Create a Simple Matrix
Organize Information

Endpoint Location DNS CDFW SWG Note

Added layer to
No No
Win10 PC HQ Yes existing
(phase 2) (phase 2)
security stack

Win10 PC Roaming Yes No Yes AnyConnect

Win10 PC Branch Yes Yes Yes SD-WAN

Added layer to
No No
iOS HQ Yes existing
(phase 2) (phase 2)
security stack
Cisco Security
iOS Roaming Yes No No
Connector

57
Solution Deployment Scope
Type S cope
In-Scope Traffic Types Example: Corporate – Branch – Roaming – Guest - Datacenter/Applications/Servers

In-Scope Device Example: Desktop – Laptop – VM – Kiosk – Mobile device (iOS, Android, Chormebook)
Types
Sizing Number of sites:
Number of users:
DNS queries per second:
Number of AD domains:
Number of AD groups for policy:

Active Directory Required

Integration Not Required

Intelligent Proxy & SSL Required

Decryption Not Required

58
Module 3
Identity

59
Choosing the Right Identities
• In Umbrella an identity is essentially a traffic source
• Identities can be very broad, such as traffic originating from a public (NAT) IP address,
or very specific, like a user or private IP address.
• Which layers enforce • Which identity • Which Umbrella
identity ? surrogates does components are
Umbrella use ? needed?
- DNS : - DNS :
- DNS
- IP address –> User - Virtual Appliance
- AnyConnect/CSC
- WEB
- WEB:
- Cookie –> User - WEB :
- DNS and WEB
- IP address –> User - SAML IdP
- AnyConnect

60
Umbrella Core Identities –more often used
List of Umbrella Core Identities
C ore Identity Derived From Used For
N etworks Manual Configuration DNS, SWG

I n ternal networks Manual Configuration SWG, CDFW

Network Devices Device API registration DNS

R oaming Computers Endpoint API registration DNS, SWG

Roaming Computer Tags Manual DNS

Mobile Devices Endpoint API registration DNS

Chromebook users Client Extension DNS, SWG

N etwork Tunnels Manual / API Configuation SWG, CDFW

Users and Groups AD Syncronisation DNS, SWG

61
Umbrella Sites
Umbrella Tennant (“org”)

ADc ADc ADc

ADc ADc ADc
VA VA VA

AD AD AD
AD AD AD

US EMEAR APAC
A method to logically separate identity components
and information within a single Umbrella tennant
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 62

62
Network Identity - Deployments > Core Identities > Networks

63
Tunnel Identity - Deployments > Core Identities > Tunnels
• A tunnel identity represents an
established, persistent connection
between your IPSec capable device and
the Umbrella cloud.
• When a tunnel identity is configured for
a policy, any web traffic egressing
through that tunnel may match the
policy.
• Such that any security or access control
policy components configured in the
policy will be applied to web traffic
egressing from the defined tunnel
identity.

64
Internal Network Identity - Deployments > Configuration > Internal
Networks

• An i nternal network identity can represent a

s i ngle private IP or subnet within a network or
tunnel.
• When an internal network identity is configured
for a network or tunnel, any web traffic egressing
from that network or tunnel which matches the
i nternal network may a lso match the policy the
network or tunnel is configured for.
• Such that any security or access control policy
components configured i n the policy will be
a pplied to web traffic matching the i nternal
network identity.
• Note: to l everage i nternal network identities,
your deployment of Umbrella must be capable of
ca pturing internal network information. Such as
proxy-chaining with XFF configured, or IPSec
tunnel with no NAT i n the tunnel.

65
Roaming Identity - Deployments > Core Identities > Roaming Computers

• Once CSC/AnyConnect/URC is properly

installed, the identity will appear in
the Umbrella dashboard with the
hostname of the local machine.
• When creating an Umbrella secure
web gateway policy, these identities
will be available as Roaming Identities
in the policy wizard..

66
Cisco Security Client (Any Connect)
Entitlement is included for use with an Umbrella subscription
(excludes VPN functionality)

• AnyConnect can be used across

an entire enterprise
• Both Umbrella DNS and Secure
Web Gateway services can co-exist
• Protect assets on or off network

• Simple and consistent user attribution

• Choice of fail open or fail closed

Supports Windows and Mac desktops

Umbrella is integrated with the AnyConnect agent for both DNS and SWG. The
endpoint client is an all-in-one deployment method for Umbrella SWG. It handles the
traffic forwarding, traffic authentication and user authentication without any added
complexity or additional infrastructure. (AC Apex) is the license level but excludes
VPN functionality. The customer only needs one of two things: a SIG Essentials
subscription, or SIG add-on to their existing DNS subscription. This is a simple way to
secure internet access for roaming users.

Highlighted details (samples):

• Doesn’t use PAC. Doesn't use SAML.
• Supports Internal/External domain bypass for SaaS apps.

Can you install AnyConnect Umbrella SWG Without Umbrella DNS?

No, both services are installed by the same Umbrella module, and SWG relies on DNS
at this time for anycast to find the closest Umbrella datacenter.

67
Unmanaged mobile device protection
Umbrella is now able to protect any (modern) Android, Chromebook
or iOS device with DNS Security—without MDM

iOS
• iOS 14 or higher version
• Cisco Security Connector application installed

Android
• Android 8.0 or higher version
• Device with a camera or Firefox Browser installed
• Cisco Secure Client application installed

QR code
enrollment

The target audience of this feature is two organization types:

•Small business without a MDM subscription
•Larger organization with some unmanaged devices in the deployment mix (such as
employee devices) that voluntary coverage is desired to be offered

Are there any major differences from managed coverage?

User interaction is required to activate coverage, and users are able to deactivate
coverage at any time. Additionally, due to iOS restrictions, the protection status is
only updated when the end user has opened the Cisco Security Connector
application.

68
DNS-layer security via Umbrella Chromebook
client INSIDE CHROMEBOOK

User Chrome Chrome Chrome App Umbrella

(Teacher/Student) Browser Extension Local DNS Server Resolver

Auto register device

Get Policies

Apply Policies
View Reports
Admin
Manage Devices
Umbrella
Dashboard
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 69

69
Umbrella SWG support for Google Chromebooks

Latest Umbrella supported platform

• Devices secured on/off network
• Targeting customers in both Education and Enterprise
• Umbrella SIG Essentials/Advantage and SIG-EDU packages
• Chromebooks with ChromeOS v55 or newer

Leverages Chrome browser extension

• Named “SWG Umbrella Chromebook Client”
• Identify Chromebook users to obtain protection, then intercepts
web traffic and forwarded to SWG services
• Google Directory services integration
• Populate Umbrella dashboard with Chromebook OUs
• Enforce Umbrella Web Policy on Chromebooks
• Simplified deployment

We are achieving this functionality on Chromebook using an extension on Chrome

browser called SWG Umbrella Chromebook Client, which helps intercept web traffic
and redirect to Umbrella SWG Services. Also, customers who are using Google
Directory services (Google Workspace, previously referred to as G Suite), will be able
to supplement Chromebook SWG with our Google Identity Integration for creating
user-based Web Policies.

70
SAML User and Group Identities - Deployment > Configuration >
SAML

• SAML-based identities can represent a

single user, or a group of users, as
defined in your Active Directory (AD)
or Lightweight Directory Access
Protocol (LDAP) objects.
• Web traffic egressing from a network
or tunnel may be enabled for SAML
authentication, thereby, challenging
unauthenticated web traffic to provide
unique user identity, including the
user’s group memberships.

71
User/Group Synchronization

AD
AD Connector
1 2 Umbrella cloud

Actions : AD
Connector
• Register AD Server
• OpenDNS_Connector
Per Umbrella Site

Best Practice :
Policy UI
• AD Group Filter
• Account Exceptions

key players are AD ADC and Umbrella cloud

Once an AD server has been registered, ADC will be notified, and will
proceed to read out the Users, Gorups and Group Memebership information

This will now be visible in the umbrella Policy Configuratioi UI and you will
be ready to configure policies

72
On-prem AD-based DNS Identity Enforcement

AD
AD Connector
AD 1 2 Umbrella cloud
AD
AD
3

Things to keep in mind :

• AD Login events VA
• ADC sizing 4
• VA sizing
• Umbrella Sites for
scaling Note : Umbrella Virtual
DNS
Appliance is a conditional
requests
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial
DNS forwarder
73

73
On-prem AD-based WEB Identity Enforcement

AD
AD Connector
AD 1 2 Umbrella cloud

6
No login events needed
3

Forwarding :
Web traffic 4 5 SaaS
• IPsec
• PAC
• Proxy Chain

74
Module 4
DNS

75
Where does Umbrella DNS fit? Malware
C2 Callbacks
Phishing

Benefits
First line Block malware before
it hits the enterprise
NGFW
Netflow Contains malware
Proxy if already inside
Sandbox Router/UTM
Internet access is faster
AV
AV AV AV AV
Provision globally in minutes
HQ BRANCH ROAMING

- Think about where you enforce security today.

- Questions to pose: What do you use to protect your network? Your endpoints?
- You probably have a range of products deployed at your corporate headquarters
and branch offices, or on roaming laptops.
- There are many ways that malware can get in, which is why it’s important to have
multiple layers of security.

Umbrella + DNS:
- Umbrella can be the first layer of defense against threats by preventing devices
from connecting to malicious or likely malicious sites in the first place—which
significantly reduces the chance of malware getting to your network or endpoints.
- We use DNS as one of the main mechanisms to get traffic to our cloud platform,
and then use it to enforce security too.
- DNS is a foundational component of how the internet works and is used by every
device in the network.
- Way before a malware file is downloaded or before an IP connection over any port
or any protocol is even established, there’s a DNS request.

76
Let’s look now at the key features for Umbrella.

76
It all starts with DNS

DNS = Domain Name System

Umbrella
First step in connecting
to the internet

Precedes file execution

and IP connection Cisco.com 72.163.4.161

Used by all devices

Port agnostic

With Umbrella, it all begins with DNS — We use it as the main mechanism to get
traffic to our cloud platform for inspection.

Now everyone has probably heard of DNS, but lets level set on what it is, and why it’s
so important with Umbrella.
DNS is the domain name system, and it’s used to map domain names like cisco.com
to an IP address.

Think about when you want to call your friend or colleague. You’ll look up their name
in your contact list, instead of trying to remember everyone’s phone number. DNS
was developed for a very similar reason — so you wouldn’t need to remember the IP
address for every website you want to visit.

DNS is the first step in nearly all internet connections, and it’s used by all devices. So
with Umbrella, we’re trying in to something you’re already doing. Any time you click
on a link or type a URL for an external site, the request goes to a recursive DNS
service, like Umbrella, to look up the IP address.

So, Umbrella will resolve the DNS request, plus add security at the same time — all

77
without adding any latency. In fact, many customers report better internet
performance after switching to Umbrella.

• Why is this so useful for security?

1. DNS used by all devices, every time the device connects to the internet,
• Tying into something that organizations already doing
• They’re already relying on someone for recursive DNS, most likely
their ISP, so we’re doing that, PLUS adding security (without adding
any latency)
• 2. Turns out this same mechanism is also useful for finding malicious
destinations on the internet, and stopping devices from connecting there

77
DNS

Domain registrar Authoritative DNS Recursive DNS

Maps and records names Owns and publishes Looks up and remembers
to #s in “phone books” the “phone books” the #s for each name

- Consider the analogy of a phone book.

- First there’s the domain registrar—this is where domain names are registered. The
domain registrar—for example Go Daddy— will record and map the domain name
to IP address—the same way you’d record names and phone numbers in a phone
book.
- Authoritative DNS owns and publishes the “phone books.”
- Then recursive DNS services, like Umbrella, look up the numbers for each name.
- Think about when you go to your contact list on your phone to call someone…you
look up their name because you don’t memorize everyone’s phone numbers.

78
Using a single global
recursive DNS service
Benefits ISP?
Enterprise
ISP1
Home location A
Global internet activity visibility users Internal InfoBlox
appliance

Network security w/o adding latency

Consistent policy enforcement Roaming
Enterprise
ISP? location B ISP2
laptops
Internet-wide cloud app visibility
Internal Windows
DNS server

Remote Enterprise
sites Internallocation C
BIND server
ISP? ISP3

Recursive DNS for internet domains

© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 79
Authoritative DNS for intranet domains

- Using Umbrella to resolve all external DNS requests allows our customers to see all
their internet activity from all their locations and networks globally.
- Because our security solution operates at the DNS layer using existing Internet
infrastructure, we can offer network security with zero added latency.
- Executing security at the DNS layer also enables consistent policy enforcement and
allows our customers to see which cloud applications are being used on their
networks.

79
DNS security
Visibility and protection for all activity, anywhere

IoT
• All office locations
BYOD • Any device on your network
On network
• Roaming laptops
Off network
• Mobile devices: iOS & Android
Branch
• Every port and protocol
Roaming

Managed
iOS devices

Umbrella provides visibility and protection for all of your internet traffic.

Specifically:
- We provide the visibility needed to protect internet access across all office
locations, all devices on your network, and roaming laptops.
- We provide visibility into sanctioned and unsanctioned cloud services, so you can
uncover new services being used, see who is using them, and identify potential
risk.
- As attackers try to infiltrate networks with different tactics, Umbrella also provides
coverage and visibility for all ports.
- As the internet moves towards HTTPS, more destinations will require SSL
decryption to effectively see and block. Umbrella provides visibility and protection
for HTTPS destinations, without adding latency.

Central to this visibility is Umbrella’s reporting capabilities:

- Umbrella displays data in real-time – similar to Twitter in that if someone sends a
DNS request, seconds later it is visible within a report.
- Umbrella offers 10+ out-of-the-box reports
- Customers can also set filters for custom views, share with email recipients and
schedule these to run every day, week, or month.

80
Prevents connections before and during the attack

Web- and email-based infection Command and control callback

Malvertising / exploit kit Malicious payload drop
Phishing / web link Encryption keys
Watering hole compromise Updated instructions

Stop data exfiltration and ransomware encryption

- Umbrella not only protects against initial infection

- Umbrella also prevents command and control callbacks (aka C2 callbacks)
- So even if devices become infected in other ways, Umbrella blocks the
communication to an attacker’s server

CLICK
- Stopping data exfiltration or the download of ransomware encryption keys
- C2 callbacks are blocked using the same DNS enforcement process described a
moment ago.
- And in the event that the malicious payload is designed to bypass DNS and use a
direct-to-IP connection, Umbrella goes beyond DNS to provide malicious IP
blocking and enforcement.

81
Gather intelligence and enforce security at the
DNS layer
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs
Used to detect: Used to find:
• Compromised systems • Newly staged infrastructures
• Command and control callbacks • Malicious domains, IPs, ASNs
• Malware and phishing attempts • DNS hijacking
• Algorithm-generated domains • Fast flux domains
• Domain co-occurrences • Related domains
• Newly registered domains

- With DNS resolution, we can make many threat discoveries.

- First any device will send a DNS request to Cisco Umbrella.
- We analyze the request patterns to detect many types of threats and anomalies.
- For example, we can determine if a system is compromised based on the types of
requests it’s making. If a device is making requests to a number of known-bad
domains, it’s more likely to be compromised.
- The user requests patterns across our user base give us great insight into potential
threats.
- In the second part of the process, if our global cache doesn’t contain a non-expired
response to the request, then we recursively contact all of the name servers that
are authoritative for the domain requested.
- This process gathers authoritative logs for virtually every domain daily, which we
use to find newly staged infrastructures and other types of anomalies.

82
Here, an attacker has incorporated a DNS tunneling kit into an authoritative DNS
nameserver.
The attacker has also compromised a system and installed malware with a DNS
tunneling client.
The attacker issues an encoded command (“aop1”) that will tell the malware on the
compromised computer to collect credentials.
The command is added to the domain (“aop1.18-ququ.example.com”) and sent over
DNS.
The malware receives the command and collects the credentials.
The malware encodes them and sends them back over DNS. ("eui8")

DNS tunneling allows malware authors

to communicate in a covert channel
Data is encoded into DNS queries
and responses
Used to:
Bypass security (firewalls, web proxies)
Exfiltrate sensitive data

83
Command and Control instructions
Free WiFi

83
Intelligent Proxy Overview

RESOLVE R PROXY
Inspects DNS Inspects header
REQUEST AND RESPONSE REQUEST AND RESPONSE

gray.com ANY ENDPOINT

/bad.exe Web activity

Let's just set a foundation of what the intelligent proxy is. It basically is consisting of
resolvers and proxies, and that proxy is really no different than what you'd find in any
cloud secure, secure-web-gateway service. That difference is that what makes it
intelligent is that the resolver decides what to proxy or not, what to just directly block
right at the resolver level. Now what you might be wondering though is how does the
endpoint, how does any endpoint know where it's going to send the web connection
to?

84
Application
Visibility & Control

85
Visibility challenge
Expectations Reality

“I know about ~40 cloud ~1,200 cloud apps in use

apps but there are others
that we aren’t aware of…
maybe double that number.”
> 20 collaboration apps in use

“We use 3 or 4 CIO

collaboration apps.”

• We consistently deal with customers that significantly underestimate the number

of cloud apps in use. In a recent customer engagement the CIO told us that that
she knew of ~40 cloud apps but also knew that there were more SaaS apps in
use…maybe even as many more. When we analyzed their network logs we
discovered 1,220 apps in use (over 10X the amount they expected)

• In an important category “Collaboration apps” they again underestimated the

number of apps in use. Visibility is an ongoing issue for most organizations….but it
is only the first part of the challenge.

86
Umbrella App Discovery and Blocking

Automated process: App Discovery Reporting Area

Application
Settings
a1.com
b2.com
c3.com Link
Umbrella Log App Discovery Engine Category and
DNS logs ingestion Cloud App Security Index Application
Blocking
Discovered App detail/
Dashboard
apps grid risk profile

The Cisco Cloudlock App Discovery solution ingests DNS logs from your Umbrella
tenant and normalizes the data and then aggregates the data and runs it against the
Cloud App Security Index to identify the apps in use.

The results are presented in a variety of formats. The dashboard provides highlights
and key trend information. The apps grid starts with a list of discovered apps and
allows for a wide set of filtered and ordered views. Each app has a it’s own drill down
view that includes information on the vendor, usage and risk details.

87
Umbrella App Discovery and blocking
• The App Discovery reporting section will replace
the Cloud Services Report
• Additional application coverage (Cloud App Security
Index)
• More detailed information on the vendor,
app, certificates, and risk factors
• Ability to block a category of apps or individual apps

88
Dashboard

Visibility

App and risk insight

The dashboard has a set of high level information to highlight key category, risk and
usage information.

89
Apps grid

Visibility

App and risk insight

Optimization
and blocking

The apps grid provides the key data elements for each app and allows for a wide
variety of custom views.

90
App detail /
risk profile

App and risk insight

The app detail pages contain a deeper set of information on the vendor, app and risk
attributes.

91
App Blocking
App Settings Screen

Optimization
and blocking

When you click on “Block this app” from the Apps Grid listings or App detail page you
are automatically linked over to the Policy page in the “Application Settings” section.
Once you select the policy you want to add this block to, it will show you this screen
and you simply have to click save to add this block to the policy.

92
Application visibility and control
Extends across enforcement points

Secure web gateway

Cloud-delivered firewall
• Granular control
DNS-layer security of web apps over
• Layer 7 application visibility and control
HTTP/S (ports 80/443)
• Visibility into cloud apps • Extends visibility, protection, control to: or a custom port:
used in organization - Non-web (non-HTTP/S) traffic - Block uploads to
• Identify potential risk - Apps that use hard-coded IP addresses cloud storage apps
and block specific apps: and do not perform DNS lookup - Block posts/shares to
- Apps where signature-based detection social media apps
- 16K+ apps discoverable
(not based on IP, domain, URL) is required - Block attachments to
to detect and block webmail apps
- Tenant restrictions

• AVC isn’t unique to CDFW. With this change, AVC is extended for broader coverage.
• At DNS-layer, Umbrella provides visibility into cloud apps in use, helping customers
identify potential risk and block specific apps if desired
• SWG can block web-based apps at the URL level with granular control of app
functions
• CDFW complements this, extending AVC to non-web / non-HTTP(S) traffic. Such as:
• Apps not performing DNS lookup
• Apps that use hard-coded IP addresses
• Apps where signature-based detection (not based on IP/domain/URL) is
required to detect and block
• I shared examples on the previous page.
• Today, we can identify/block ~1000 apps (and growing)
• NOTE TO SE: Re: blocking apps… Some apps use web and non-web traffic (i.e.
Zoom). Today, to completely block Zoom, the customer would set that policy in
CDFW (to block non-web traffic portions) and in SWG (to block web traffic
portions). Ideally (and unified policy will get us there), the customer would set
policy for an app in one/only place, and Umbrella would decide where to execute
that. We’re heading there quickly!

93
DNS Deployment
Scenarios

94
Connecting to Umbrella

Roaming CLIENT/ANY CONN ECT Route traffic and IDs via DNS
No need for connectors/PAC files

Anycast routing
INTERNAL DNS OR DHCP Customers not tied to a data center
Umbrella
On-network NETWORK DEVICES

VA AND AD CONNECTO R

Customer

- Umbrella is one of the simplest solutions to deploy and manage.

- Because Umbrella is delivered from the cloud, there is no hardware to install or
software to manually update, and the browser-based interface provides quick
setup and ongoing management.
- Many customers deploy enterprise wide in less than 30 minutes.

On-network coverage:
- You can protect all devices on your network – even those you don’t own – by
changing one setting in your network server, access point or router.
- Customers have several additional deployment options which provide more
granularity for administration – specifically for policies and reporting.
- Customers can use a lightweight DNS forwarder, deployed as a virtual
appliance, to embed the local IPs associated with the internet traffic so that
administrators know which internal network made the internet request.
- For even more granularity at the user level, Umbrella can be integrated
with Active Directory so that customers have control and visibility per AD
user or computer.

For off-network coverage:

95
- If you use Cisco AnyConnect for VPN connectivity, you can use a built-in integration
to enable roaming security.
- If not, we offer a lightweight, standalone client.

Let’s look at the deployment options in greater detail.

For more detailed deployment slides see the back-ups slides.

95
The Simplest Way Protect on-network devices via
gateway’s DHCP
small branch offices with no internal
DNS server

Internet gateway

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11
67.215.87.11 DNS server
Default
208.67.222.222

YOUR NETWORK

• One IP change [CLICK] and every device behind your Internet gateway (e.g. router,
Wi-Fi AP, firewall, proxy) is instantly protected
• Because DHCP seamlessly provisions devices—even those you don’t own—to
forward DNS traffic to the Umbrella global network
• With this configuration, policy and reports will only identify the network egress’
public IP address, so you lack internal network, user or device granularity

96
Protect on-network devices via DNS server

Laptop IP
Internet gateway 10.1.1.3
Internal DNS Server
208.67.222.222
Server IP
Your policy Network egress IP 10.1.1.1
Enforce all security settings for 67.215.87.11 External DNS resolution
67.215.87.11 DNS server 208.67.222.222
10.1.1.1

YOUR NETWORK

97
Protect internal networks via Umbrella virtual
appliance
Internal DNS Server

Server IP
Inserts 10.1.1.3, GUID and 10.1.1.1
Org ID in EDNS request,
encrypts and forwards
Laptop IP
Internet gateway 10.1.1.3
Umbrella VA
208.67.222.222
Appliance IP
Your policy Network egress IP 10.1.1.2
Enforce all security settings for 67.215.87.11 DNS server
10.1.1.3 DNS server 10.1.1.1
10.1.1.1 Internal domains
office.acme.com

YOUR NETWORK

• For additional granularity within your network, we require having a very

lightweight presence there, which is why we offer virtual appliance software
• Our Virtual Appliance enables you to pinpoint devices within your network that are
infected or being targeted by attacks
• It runs on VMware or HyperV and requires minimal CPU or RAM resources since
it’s just DNS (and we support an unlimited number of instances or resources per
instance)
• Simply point your Internet gateway to our VAs first, and then point our VAs to your
internal DNS servers including any internal resource domains that it resolves
• It tags by internal IP address and forwards DNS queries bound for the Internet to
the Umbrella Global Network
• DNS already supports high-availability, and we do require deploying 2 VAs per site
so that VAs are auto-updated, one at a time, to prevent service disruptions

98
Protect AD users via Connector and Umbrella virtual
appliance
AD Server
w/AD connector

Associates
CEO with
EXEC group Associates CEO
(via HTTPS with 10.1.1.3
push) Internal
Internet gateway
Umbrella VA DNS Server
208.67.222.222
Appliance IP DHCP IP
Your policy Network egress IP Inserts 10.1.1.3, 10.1.1.2 10.1.1.1
Enforce all security settings for 67.215.87.11 GUID and Org ID DNS server
in EDNS request, 10.1.1.1
EXEC group DNS server
encrypts and
(GUID = CEO, a member of EXEC group) 10.1.1.1 Internal domains Laptop IP
forwards office.acme.com 10.1.1.3

CEO

YOUR NETWORK

99
Protect off-network Win/Macs via Umbrella roaming
client

Cisco Secure Client /

AnyConnect roaming
Internet gateway security module

208.67.222.222 or
Embed unique device ID
and GUID (if AD) in EDNS
Your policy Network egress IP request, encrypts and
Enforce all security settings based on N/A forwards
User identifiers DNS server
N/A
Umbrella
roaming client

YOUR NETWORK

• For off-network coverage, if you use Cisco AnyConnect, no additional endpoint

client is needed.
• If you not use AnyConnect, we have a lightweight client that works with any VPN
client.
• It provides a way to identify which customer and device sent the DNS request. So,
it can be deployed as an alternative to our virtual appliances to get granular
control & visibility of on-network laptops or desktops.
• The roaming client works very similar to the virtual appliance because it forwards
requests for external Internet domains to Umbrella. We embed a unique identifier
that matches the device’s hostname and also encrypts the DNS request to prevent
man-in-the-middle eavesdropping on public networks
• For internal domains, Admins can create an internal domain so that your roaming
users can access your network’s local resources (computers, servers, printers, etc.)
on internally-hosted domains that rely on local DNS servers.
• ADD IP layer enforcement script notes here

100
Protect on and off-network Chromebook devices
via Umbrella Chromebook client

Umbrella
Chromebook client
Internet gateway

208.67.222.222 Embed unique email ID

of the user in EDNS
Your policy Network egress IP request and forwards
Enforce all security settings based on N/A
User identifiers DNS server
N/A

YOUR NETWORK

• For Chromebook devices, we have the Umbrella Chromebook client that provides
DNS-layer protection both on and off-network.
• It provides a way to identify which customer and user sent the DNS request. It can
be deployed across the organization to get granular control & visibility for the
internet activity of Chromebook users.

101
Protect on-network devices using Cisco ISR*

Inserts VLAN identity

& internal IP address
in EDNS request,
encrypts and forwards
WORKSTATI ON VLAN
Cisco ISR

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 SERVER VLAN
Workstation VLAN Workstation VLAN
DNS server
or 208.67.222.222
Server VLAN Sever VLAN
DNS server
208.67.222.222

YOUR NETWORK
*Supported models: 1K and 4K series running OS-XE v16.6.1+

• To provision a Cisco ISR 1K or 4K device, a token must be obtained from your

Umbrella dashboard and installed on the ISR
• By doing this, we can securely embed VLAN identities within an EDNS query that is
automatically encrypted and forwarded to the Umbrella global network
• This enables you to set different policies per VLAN, for example workstation vs.
servers, even when it’s the same network egress IP or network device originating
the query
• In this example, we have pointed the workstation VLAN to the Umbrella global
network but kept the Server VLAN DNS policy default
• This is just to demonstrate that this option is available
• With this configuration, reports will provide more granularity by VLAN

102
Protect on-network devices via partner network
device

Internet gateway

208.67.222.222
Your policy Network egress IP
Enforce all security settings for N/A
FGL189914GG DNS server
208.67.222.222
Supported Serial Number
FGL189914GG

+Custom
YOUR NETWORK

• To provision a partner network device like an Aerohive router, a token must be

obtained from your Umbrella dashboard and installed onto the partner gateway
• This seamlessly provisions devices—even those you don’t own—to forward DNS
traffic to the Umbrella global network
• With this configuration, policy and reports will only identify the network egress’
public IP address, so you lack internal network, user or device granularity
• Listed here are the supported vendors but you can also integrate with devices you
have not listed here

103
Overview
• Cisco SD-WAN (Viptella)
- Cloud-delivered WAN architecture that
enables digital transformation
- Manage connectivity across WAN from Internet/SaaS
a single dashboard
- Connect to SaaS and IaaS platforms Umbrella
with speed, reliability, security and
cost-savings
• Quickly deploy Umbrella across SD-
WAN to hundreds of devices DIA

• Gain DNS-layer protection against

threats at branch offices MPLS

• Create policies and view reports on Data Center SD-WAN fabric Branch
a per-VPN basis

Starting with our SD-WAN integration

• This integration enables organizations to easily incorporate additional layers

of DNS and web security across their SD-WAN deployment with a single
configuration change
• This provides instant protection against threats like malware, ransomware,
and C2 callbacks at branch offices
• For more granular control and visibility, customers can assign policies and
view reports on a per VPN basis
• With this integration, customers can have the cost-savings and increased
performance of DIA without sacrificing security

104
Protect guest wi-fi using Cisco WLC
No support for internal or split domains
Not recommended for employees

Inserts SSID identity

in EDNS request and
forwards
EMPLOYEE WI-FI SSID
Cisco WLAN controller

208.67.222.222
Your policy Network egress IP
Enforce all security settings for 67.215.87.11 GUEST WI-FI SSID
Employee Wi-Fi SSID Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222

YOUR NETWORK
*Supported models: AireOS 8.0+ and WLC 8.4+

• To provision a Cisco WLAN controller, a token must be obtained from your

Umbrella dashboard and installed on the controller
• By doing this, we can securely embed SSID identities within an EDNS query that is
automatically forwarded to the Umbrella global network
• This enables you to set different policies per SSID, for example Employee vs. Guest
Wi-Fi, even when it’s the same network egress IP or network device originating the
query
• In this example, we have pointed the Employee Wi-Fi SSID to the Umbrella global
network but kept the Guest Wi-Fi SSID policy default
• This is just to demonstrate that this option is available
• With this configuration, reports will provide more granularity by SSID

105
Protect corporate and guest wi-fi

Inserts Device ID and

Client IP in EDNS
request and forwards
EMPLOYEE WI-FI SSID
Meraki access points

208.67.222.222
Your policy Network egress IP
Enforce Umbrella security settings per 67.215.87.11 GUEST WI-FI SSID
SSID or using Meraki Group Policies Employee Wi-Fi
SSID DNS server
208.67.222.222
Guest Wi-Fi SSID
DNS server
208.67.222.222

YOUR NETWORK

• Here is an example of a possible deployment scenario. In This Scenario, Umbrella

is deployed across the entire network including the Guest Wi-Fi SSID and Employee
Wi-Fi SSID.

106
Integration features
• Appends EDNS (Device ID and
Client IP) to the DNS packet
• Local domain bypass support
to exclude internal DNS requests
from being sent to Umbrella
resolvers
Umbrella SD-WAN
• Supports DNSCrypt proxy
to encrypt DNS traffic

Powered
by Viptela

Let’s take a look at some of the technical features of the integration.

First, EDNS info (including the Device ID and Client IP) will be appended to the DNS
packet which allows Umbrella to enforce the right policies for the right devices
(Device ID) and provides visibility in the Umbrella dashboard (Client IP).

Second, the integration supports local domain bypass to exclude internal DNS
requests from being sent to the Umbrella resolvers. This allows users to reach your
network’s local resources (computers, servers, printers, etc.) on internally -hosted
domains that rely on local DNS servers.

Lastly, the integration includes support for DNSCrypt. This encrypts DNS traffic to
secure DNS traffic from eavesdropping and man-in-the-middle attacks.

107
Umbrella DNS Policy
Best Practices

108
Build Policy From the Bottom Up
• Your default policy (at the bottom of your list of policies) is the catch-all for
identities you haven't defined a specific policy for.
• Try
to make your default policy the one you want to be enforced if an
unknown or unexpected device or user attempts to access the internet.
• As
such, we recommend that you always either make your default policy the
most restrictive or make your default policy the one that you would want the
majority of your users and devices to be governed by.

109
Build Additional Policies as Exceptions
• From our base default policy, you want to layer on policies from least to most specific.
• An example of this might be to make your first additional policy be for "All Roaming
Computers", then layer another policy on top of that for a small number of roaming
computers that have slightly different needs than the general population of roaming
computers.
• By taking this "exceptions-based" approach you are less likely to encounter any unintended
results.
• Example:
• 1. File Sharing Access
• 2. HR Access
• 3. C Level Access
• 4. Citrix Policy
• 5. Default Policy
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 110

110
Additional Best Practices
• Use Top Level Identities
- Top-level groups like "All networks" and "All Roaming Computers" are special
because they dynamically inherit new identities.
- New devices using the top level will automatically have policy applied.

• Use Tags for Roaming Computers

- A tag is a way to group roaming computer identities together and can be used to
filter in reports and management, as well as to create policies for a group of
roaming computers.

• Organize Policy Settings for Re-use

- Policy settings can be re-used in multiple policies, so keep that in mind when you
create, name, and update these settings.

111
Module 5
CDFW

112
Umbrella firewall protects traffic from requests
originating from a client user

Internet

Request originating
Firewall use cases that from the internet
protect traffic from requests
originating from a client user
are essential to securing access
to the internet and controlling Request originating
from client user
cloud app usage

• Firewalls serve many different use cases

• Protecting traffic from requests originating with a client user (both outbound and
inbound from that original user request) is essential to securing access to the
internet and controlling cloud app usage. This is Umbrella’s focus.
• Examples of this security functionality that Umbrella firewall provides:
• Access control – Controlling what ports, protocols, or applications are
allowed or not
• Security features – Applying broad variety of security controls on traffic
including layer 3 / 4 (port / protocol rules), layer 7 application visibility and
control (application rules for non-web traffic) and intrusion prevention
system/IPS (signature-based threat detection).

• Although the speaker should not emphasize use cases where requests
ORIGINATED from the internet, here are examples that are not the focus for
Umbrella. ==> This is useful because it shows how cloud-delivered firewall like
Umbrella can complement on-premises firewalls.
• Inbound traffic via VPN
• Traffic between locations, i.e. branch office to brand office
• WAF (Web Application Firewall) - Shield is placed between the web

113
application and the Internet. Akin to a reverse proxy, protecting the server
from exposure by having clients pass through the WAF before reaching the
server
• DMZ / NAT – Creating a buffer zone (or demilitarized zone/DMZ) between
the public internet and the private network to screen inbound traffic
before it reaches an organization’s servers. .

113
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 114

114
• In LA now, the cloud-delivered firewall
provides layer 7 application visibility
and control (AVC).
• We had layer 3 / 4 firewall, but layer 7
AVC goes further to recognize non-
web applications and take appropriate
action to block/allow them.
• It uses signature-based detection to
identify and block applications.

115
• Customers forward traffic to CDFW by
configuring an IPsec tunnel from a
network device.
• Essential for delivering CDFW is
Umbrella’s innovative, patent-pending
IPsec tunnel approach – that
simplifies deployment and improves
reliability.
• It enables the Umbrella
infrastructure to execute
planned updates, additions,
and removals—even take
down an entire data center—
with minimal impact to users.
• And in the rare instance of an
unplanned interruption, it
performs automatic data
center failover with no loss of

115
redundancy protection.
• As new tunnels are created,
Umbrella automatically applies
security policies for easy setup
and consistent enforcement.
• Umbrella CDFW also forwards traffic
from ports 80/443 to our secure web
gateway for deep inspection of that
web traffic.

115
Reserved egress IP Internet
(SaaS app)

IP allow-listing
Use case: Allow listing
• Customer uses SaaS app that requires an “allow list”
• Examples: Government portals; Azure web apps NATaaS

Customer value
• Provides extra privacy and security Umbrella SWG

Functionality
• Unique egress IP for web traffic
• Single-tenant IP address per datacenter (1:1)
• Not shared with other customers
• No customer configuration required
Currently full support for tunnels
• Egress IP available in activity search only*
• Failover DCs also require reserved egress IPs Anycast forwarding on roadmap.
Branch

• *Tunnel support is easy for failover and predictive. Customers much purchase
additional reserved Ips for tunnel failover locations. PAC use with Reserved IP
works but it not sticky and thus not reliable or supported. Review Load balancing
slide for reason: LB could send a PAC user or Secure Client user to any DC, it is less
predictive.

New function – highly requested by customers – in Umbrella SIG

• Reserved IP is a single-tenant IP address deployed to an Umbrella data center that
is mapped to a customer’s web traffic. This provides a unique egress or source, IP
address that is not shared with other Umbrella SIG customers.
• Main use case is “allow listing.” Many customers use SaaS apps that require an
“allow list”… a list of pre-designated/known IPs from which traffic to the SaaS app
will be allowed. This Umbrella SIG add-on delivers this.
• Common in government portals
• Common in Azure web applications
• As reserved IP addresses are deployed on a per DC basis, customers require a
reserved IP in each data center they forward their web traffic to.
• Currently, Reserved IP does not support Anycast; therefore, customers should use
IPsec tunnels to connect their networks to Umbrella for reliable use of their
reserved IP(s).

116
• For roaming computers, a client VPN should be used to forward web traffic to a
network where an IPsec tunnel has been established to an Umbrella datacenter
provisioned with a reserved IP.
• Anycast will be supported by Reserved IP in a future iteration.

In the Activity Search report, there are three new filters in Advanced Search:
Umbrella Egress IP Type: A selection list of either Shared or Reserved.
Umbrella Egress IP Address: The field accepts specific egress IPs.
Umbrella Egress Data Center: A selection list of available Umbrella data
centers.

116
Cloud-delivered Firewall - CDFW
Best practices and considerations

• Use automations - Viptela auto tunnel, Meraki Umbrella SD-WAN Connector,

CDO
• Exempt Umbrella DNS and SWG IPs from the tunnel for higher throughput
• Snort in detect mode
• L3/L4/L7 firewall
• Egress from 146.112.0.0/16 or 155.190.0.0/18 (SSL resumption)
• CDFW redirects web traffic to SWG but only if allowed by firewall rules

Viptela SIG auto tunnel template

Meraki connector, Umbrella becomes part of auto VPN fabric, supports advanced
features like local per app breakout (LA)
Script available for Meraki third-party VPN to Umbrella automation
CDO can automate ASA config
SSL Resumption, all non decrypted traffic will egress from same IP in case site tracks
IP address
Firewall bah……..

117
Tunnels

118
Animation

IPSEC tunnel capabilities

Example
Data center region code US-1

Los Angeles Santa Clara

IPsec capacity 146.112.67.8 146.112.66.8
Primary Secondary
• 250 Mbps by default, with ongoing
development to increase capacity
• Multiple tunnels can be deployed In case of primary failure,
to support higher capacity uses secondary DC in the
same region

Availability
• Hard code primary, secondary (optional)
• Failover to secondary data center is
handled by anycast
• Failure detection uses IKE dead
peer detection

Branch

Umbrella IPsec tunnel capacity is now at 250mbps and will be increased to 500 mbps
soon. Speed is IMIX tested. Multiple tunnels can be used to cover locations with
higher traffic volumes in the short term but individual tunnel capacity will continue to
be increased over time.

When setting up the tunnel you select your primary and secondary data center. If
there is an issue with your primary location it will automatically switchover to the
secondary location.

Other DC regions shown here https://docs.umbrella.com/umbrella-user-

guide/docs/cisco-umbrella-data-centers

• If using DPD min of 30 sec intra DC, (intra region 1 min, inter region 2)
Note: inter and intra region times are due to BGP reconvergence.

Tested from our infrastructure

119
Multiple Tunnels
• Higher throughput with ECMP
Umbrella
• ECMP all tunnel to the same DC
146.112.83.8:4500 146.112.83.8:4500
• Single public IP address supported T
u
T
u
with NAT n n
n n
• FQDN IKE identity if single public IP 1.2.3.4:11111 e
l
e 1.2.3.4:22222
l
1 2
• One IKE identity per tunnel Loopback1 Loopback2
10.0.0.1/32 10.0.0.2/32

Router

NAT from 10.0.0.0/24 interface outside overload

(PAT)
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 120

Most routers don’t use a random UDP source port for each IKE/IPSec over UDP
connection and due to this limitation the router is not able to identify to each tunnel
the traffic belongs to, NATing is used to generate random UDP port (different source
port) for each tunnel

120
Umbrella for SD-WAN
Fast forward time to value with automated security

Hands-off automation Cisco Umbrella

Deploy IPsec tunnels across thousands of
branches in minutes

Top notch protection

DNS-layer Secure Cloud- Cloud Interactive
Defend against threats with the leader in security web delivered access threat
gateway firewall security intelligence
security efficacy (w/ IPS) broker

Simplified management
Single pane of glass across all offices, users DIA

and roaming clients

Deeper inspection and controls

SWG, CASB, and cloud-delivered firewall layer HQ Branch
3, 4, and 7
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 121

The Cisco SD-WAN and Umbrella integration enables you to simply infuse effective
cloud security throughout your Cisco SD-WAN fabric. Umbrella delivers multiple
security capabilities in a single cloud-delivered service to create a powerful,
integrated, and cloud-native security solution that is easy to deploy and to manage.

To get started, customers can quickly deploy cloud security across their SD-WAN to
thousands of branches in minutes and instantly gain protection against threats on the
internet — powered by Umbrella’s global network and threat intelligence. With
simple tunnel creation to Umbrella’s secure web gateway and cloud-delivered
firewall, customers get additional security and more granular controls.

Key benefits of the integration include:

Fast forward time to value with automated security: deploying secure SD-WAN used
to take months. With our automated provisioning and tunnel creation you can easily
protect your branches and users in minutes.

Flexibility: deploy effective cloud security across your all Secure SDWAN platforms

121
( vEdge and cEdge)
Simplified management via the Cisco Umbrella dashboard: single pane of glass
into all of your security across branch offices and users
Built in redundancy- protection from regional DC failure without added complexity

121
Meraki MX and Umbrella integration options
Option I Option II
Meraki dashboard and user interface Choose per site Auto VPN extends Meraki’s SD-WAN
simplify tunnel creation fabric into the Umbrella cloud

Internet/SaaS Internet/SaaS

Cisco Cisco
Umbrella Flexible security options Umbrella
Meraki Umbrella
S D-WAN Connector
DNS Proxy SIG
e.g. guest traffic e.g. critical traffic DNS Proxy SIG
e.g. guest traffic e.g. critical traffic
Automated SD-WAN
fabric integration SD-WAN fabric

Competitive
MX
IPS/AMP
differentiator MX
IPS/AMP

IPSEC tunnel connectivity SD-WAN fabric integration

Meraki MX and Umbrella integration gives customers a fast start to their

SASE journey.

Option I (Phase I) allows customers to easily create IPSec tunnels from

Meraki MX devices to Umbrella through the Meraki dashboard and user
interface. It uses the non-Meraki VPN peer options and can leverage API
scripts for scale.

Now, we are making available Option II (Phase II), which leverages the
Meraki Auto VPN to extend Meraki’s SD-WAN fabric into the Umbrella
cloud with just a few clicks. As new tunnels are added, Umbrella policies
are automatically applied for easy setup and consistent enforcement.
Meraki’s dynamic policies and intelligent path selection with auto load
balancing maximize performance and reliability.

Customers can mix and match Option I & II as it makes sense in their
environment. Both options of Meraki MX and Umbrella integration provide
simple, flexible deployment and enforcement options to meet customer needs.

122
As compared to our competitors, Cisco offers customers with the flexibility to
pick and choose security to support different use-cases. For example, they can
leverage Umbrella SIG capabilities with this integration to support use-cases
where they need full logging and inspection, e.g., corporate traffic. They can
also choose to deploy DNS-level security (with separate license, it is NOT
enforced with this integration) for non-tunnel sites (DNS security is excluded
from the tunnel) to stop attacks and block threats even before they reach their
network or endpoints, e.g., to protect guest wi-fi and high-performance
sites. Protected guests and high-performance sites requires licensing if using MX
(Meraki ADV license).

For Option I:

IPsec capacity: 250 Mbps per tunnel, ongoing development to increase

capacity

Availability
• Umbrella-defined primary, secondary DCs
• Failover to secondary DC and DR is handled by anycast
• Failure detection uses IKE DPD
• Available in all SIG datacenters globally

Firmware: Requires MX15+ Firmware

Licensing: Requires Umbrella SIG license + any MX license tier

For Option II:

Capabilities
• Up to 250 Mbps per connector, multiple connectors for higher capacity
• Supports VPN exclusions for direct internet access
• Automatic intelligent path selection based on traffic

High availability
• Customer-defined primary and secondary DC (initially in select SIG DCs)
• Failover to secondary DC is handled by the Meraki SD-WAN fabric
Firmware: Requires MX14 or higher firmware
Licensing: Requires Umbrella SIG licensing + any MX license tier

122
VPN exclusions at app level requires SDW license for MX

122
Meraki and Umbrella
Pulling it all together for a highly flexible SASE
All allowed web traffic

Umbrella

DNS direct

DNS

DNS layer security selective proxy

Branch Internet
DNS Selective proxy NAT

All traffic
SIG
CASB IPS DLP RBI

Flexible options DNS CDFW SWG

• DNS-layer security available for MR, Z3, and MX

(requires SEC | SDW license)
• Multi-function security (SIG) for MX and Z3 SD-WAN
VPN excluded traffic (ex: O365)

123
Want to learn SASE?
dcloud.cisco.com

124
Intrusion Prevention
System

125
UMB SIG
DLP
OR

IPS - Overview DNS CDFW IPS SWG RBI NAT

CASB

Bad

• Deepen Umbrella cloud firewall protection for client-

guys

driven traffic
• Use signature-based detection (Snort 3) to examine
Internet
network traffic flows & p revent Exploit-facing signatures
and Vulnerability-facing signatures
• Automated actions, such as drop malicious packets, block
Si g n a tu re -b a s e d d e te c ti o n

Intrusion Prevention - Or -
System (IPS) traffic from the source address, reset the connection
An o m a l y -b a s e d d e te c ti o n
• Add layer of detection/blocking for malware, botnets,
phishing, and more
DEVICES ON
NETWORK
• Leverage Cisco Talos’ 40K+ signatures (and growing) to
detect and correlate threats in real-time

• At least one Network tunnel added to CDFW. Non-web /

site exclusions

• All client-generated traffic is routed through the 80/443

Layer 3, 4,
Network tunnel 7 and IPS
CDFW SWG
• Enable IPS globally

Umbrella

Tunnel (IPsec)

DEVICES ON NETWORK
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 127

127
IPS - Configuration
Under IPS Settings, choose one of the Intrusion System Modes:
• Detection Only—Detect threats or attacks in your network that match your signature database. When
Detection Only mode is used, your IPS settings can be tested on your network without affecting
traffic. Signatures that would be blocked in Protection mode will be logged in Activity Search as
"Allowed (Would Block)" under IPS Signatures.
• P rotection—Protect your network from known threats or attacks.

• Under A p ply to IPS Signature

List, choose the sig nature list
and Save

• IPS is now enab led for your

firewall policy.

© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 129
IPS - Reporting
• On the A ctivity
Search Report you
can filter by
using the Req uests me
nu in the upper-right,
choose IPS request
types.

• IPS—Can be further
filtered by Signature:
Log Only, Would Block,
or Blocked.

• Overview Report now

includes a IPS
Breakdown section
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 130
IPS - Considerations
• IPS is limited only to SIG tunnel deployments.
• IPS is enabled across the entire environment / across all Bad guys

tunnels.
• Currently is only possible to use pre-defined Talos
signatures (40,000+)
• Recommended to start the implementation of IPS in Internet
"Detection mode" and review the IPS events (using the
Hit Counters or Activity Search) before switching to
"Protection mode" Si g n a tu re -b a s e d d e te c ti o n

• For suspected false positives which could be causing Intrusion Prevention - Or -

System (IPS)
problems to legitimate application traffic you can use
"Custom IPS Settings" lists to disable specific IPS
signatures.
An o m a l y -b a s e d d e te c ti o n

• Decryption of traffic is not yet available for IPS.

DEVICES ON NETWORK
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 131
Day 1 Labs

132
Umbrella FE Labs
1. DNS Network Protection
2. DNS Branch Protection
3. Active Directory Integration
Day 1

4. Roaming Device Protection

5. Virtual Appliances
6. SIG Network Tunnel
7. Cloud Delivered Firewall
8. Intrusion Prevention System

133
‣ Widget Maker with R&D, Sales,
Marketing and Executives

‣ Your First Umbrella Customer

‣ Headquarters and Branch Locations

‣ Consolidate multiple existing

security controls & devices with
Umbrella SSE

‣ Long term goal of SASE

134
Course Logistics & Materials

• Lab Instructions - CiscoSecurityWorkshop

- bit.ly/umb101
- Enrollment Code – UMB101-OnDemand

• Lab Access – dCloud (CCO)

- https://dcloud2-lon.cisco.com/event/395148/access

• Support: Contact your Cisco Partner TSA

• Lecture Slide Content:
- In the Lab Support Webex Space

135
Confirm access to Cisco Security Workshop

bit.ly/umb101
UMB101-OnDemand

Use enrollment code to enroll in

course if you haven’t done so
already.

136
dCloud: Cisco Umbrella Lab v4:

137
Accessing the Lab Guide
Visit: bit.ly/umb101
1. Click Create New Account
2. Fill out the form using the enrollment code

UMB101-OnDemand

138
Accessing the Lab
The screen below appears after registration. Look for an email to verify your email
address.

139
Accessing the Lab
Open the email generated from registration to verify your email address

140
Accessing the Lab

141
Accessing the Lab
• After validating your email address go back to the following link to access the
module: bit.ly/umb101

• You will be directed to the page below. This is your lab guide to be used
for the Umbrella 101 Lab.

142
Proof of Performance
• In order to receive credit for
Fire Jumper you must
complete all lab modules.
• After completing the lab, you
will be provided with a
certificate which is your “proof Ted Lasso
of performance
• Formal Firejumper Certificates
will be provided at a later date

143
144
Cisco Umbrella 101
Field Engineer Course
Firejumper Stage 3 Deployment Training

145
Umbrella 101 Field Engineer Course Outline
• Module 1 – Fundamentals • Module 6 – SWG
• Module 2 – Deployment • Module 7 – Advanced SWG
Module 3 – Identity Module 8 – Investigate
Day 1

Day 2
• •

• Module 4 – DNS • Module 9 – Operations & Troubleshooting

• Module 5 – CDFW • Module 10 – SecureX
• Lab Scenarios 1-8 • Lab Scenarios 9-16

146
Umbrella FE Labs
1. DNS Network Protection 9. Secure Web Gateway
2. DNS Branch Protection 10. CASB / Cloud Malware
3. Active Directory Integration 11. Data Loss Prevention
Day 1

147
Project Status Review

148
Current Project Status
• We have:
- Deployed Umbrella DNS @ HQ
• Configured & Tested Manual Integration & DNS Server Forwarding
- Deployed Umbrella DNS for Roaming Devices
• Configured & Tested Cisco Secure Client
- Deployed Umbrella DNS @ Branch
• Configured & Tested Network Device Integration
- Deployed Active Directory & Virtual Appliances
- Migrated Umbrella DNS to SIG @ Branch Migrated
• Configured & Tested a Network Tunnel
• Configured & Tested CDFW & IPS We are now able to assist TME
Labs with the continuation of their
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 149
Umbrella Deployment Journey.

149
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 150

150
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 151

151
Module 6
SWG

152
Umbrella SWG Internet/SaaS
Multiple functions and SaaS app
e.g. O365
aggregated reporting in
one cloud console Direct

• Malware scanning includes two anti-virus

engines and Secure Endpoint (AMP) lookup
• File type controls Umbrella SWG
• Full or selective SSL decryption
• TLS 1.3 native support
Tunnel (IPsec)
• Category or URL filtering for content control Cisco Secure Client (AnyConnect)
PAC files
• Secure Malware Analytics (Threat Grid)
Proxy chaining
file sandboxing
• App visibility and granular controls
• Full URL level reporting
On/off network devices
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 153

Umbrella SIG Essentials includes a broad set of Secure Web Gateway (SWG)
capabilities. Once your web traffic is routed to the Umbrella cloud the SWG can
provide URL level reporting to help with monitoring usage or for investigations.
Application visibility and control give you the ability to see what apps are being used
and how much. It also provides risk profiles and the ability to block app categories or
specific apps. You can even control specific actions within applications. Umbrella
provides anti-virus/malware scanning and additional sandboxing capabilities as well.

You can turn on full or selective decryption capabilities to secure HTTPS traffic and
you can enforce file type controls. If you have time sensitive O365 traffic you can
send it directly to Microsoft. (Cisco Cloudlock can enforce API-based CASB security
measures on that traffic as appropriate.)

Umbrella combines all of this functionality and reporting along with DNS security and
a Cloud Delivered Firewall (CDFW) capabilities in a single cloud console.

Re: Direct to SaaS app – This is O365 bypass, with which you can bypass SWG
inspection and still benefit by using our direct peering. To enable it, customer
requests it in the backend by opening a support ticket.

153
Why a Web Proxy?

‣ Gain additional visibility ‣ Extend protection against

via full URL logging and malware via SSL decryption
cloud app discovery and file inspection

‣ Enforce acceptable use ‣ Enrich file inspection

policy via app controls, (with retrospective alerts)
content filtering, and URL via malware defense
block/allow lists Full web proxy and analytics

DNS can show you which building a user walks into, but DNS cannot show you where
the user goes in the building, who they talk to or interact with. For that you would
need URL visibility (and HTTPS inspection now that most of the web is encrypted!)

154
Don’t we already do this with DNS?
• The difference is “URL” filtering
• Anatomy of a URL

protocol domain name path parameters

h t tps://video.google.co.uk:80/videoplay?docid=-7246927612831078230&hI=en#00h02m30s

subdomain port query fragment

• Umbrella DNS is limited to filtering by domain

https://doepud.co.uk/blog/anatomy-of-a-url
Umbrella DNS could be set to block Google, but not this URL
Umbrella DNS can block Amazon, but not video.amazon.com

155
Full URL tracking and reporting
• Visibility for compliance,
monitoring, and investigations
• Multiple views at the URL level
by network, device, user, date
- See trends
- Monitor activities
- Investigate incidents

The Umbrella secure web gateway has visibility into all web traffic and provides
detailed URL level reporting. This information can be used to monitor specific
networks or users and provide detailed data for investigations.

156
SWG Rules-based Policy
Evolution of Umbrella’s Policy Model

• Rules
• All identities: Users, Groups, IP, Tunnels, etc.
• All Actions: Block, Allow, Warn
• Destinations: Categories, Destination Lists,
Applications (AVC), Security

• Multi-match on Identity AND Destination

• If no match, fall through to next rule (firewall
style)

• Re-order to set priority

• Rulesets to improve manageability

157
Category blocks are a great way to do broad brush content control by blocking a large
number of URLs at once. The broad set of main categories are from Cisco Talos and
these are shared across multiple Cisco security solutions.
SWG policy – Block Uncategorized

• Ability for administrators to be

able block access to any
domain/URL that has no
known category
• Ensure that users only go to
known sites

159
SWG Policy - Warn Page

• Soft Block/Warn
• SWG Support Only (Further
support planned for later)
• Simple Continue Button
• Customizable
• Content Categories
set to Block or Warn

160
SWG Policy - Time of Day/Week - Selection
within Rule

• Apply a schedule to a specific

rule
• Enable the rule to only be
active during the times set

161
Malware and virus protection
• Scan and detect a broad range
of malware and viruses to avoid
infection and stop attacks
• Umbrella secure web gateway
with Secure Endpoint (AMP)
and third-party virus protection
tools
• Activity reports show
details on all blocked
events

The SWG scans all web traffic (including HTTPS) for viruses and malware utilizing the
power of AMP and multiple anti-virus engines. All of the details of the blocked
destinations are provided in the Umbrella reporting console for tracking and
investigations.

This inline protection blocks access to malicious destinations and files that are part of
active threats.

162
Cisco Secure Malware Analytics
(Threat Grid) sandboxing

• Ability to detect hidden threats

in files that are being downloaded
• A set of new or higher risk files
are placed in a sandbox
environment and checked for Regions:
malicious activity/content Europe or
North America
- Alerts posted on files that show bad activity
- Umbrella threat intelligence is updated for
that file

SIG Essentials: Cisco Secure Malware Analytics limit of 500 files per day
SIG Advantage: Includes unlimited submissions and access to the full sandbox console for 3 users
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 163

For file that make it through the Cisco Secure Endpoint malware scan and are in a
higher risk category are sent to the Cisco Secure Malware Analytics (Threat Grid)
sandbox for further analysis. This allows for the deeper inspection of the file over
time to see if it starts to display malicious behavior.

SIZING GUIDANCE: If there are over 10k users the file limit should be discussed. 1-3%
of total user count is a good guideline and should meet most customer’s needs.

Umbrella Cisco Secure Malware Analytics (Threat Grid) entitlement dashboard can be
tied to an existing Cisco Secure Malware Analytics (Threat Grid) install for customers
that already have Cisco Secure Malware Analytics (Threat Grid) licenses.
Additional volume is available through an add-on SKU

163
File Type Control
• Blocking file downloads by type
• File Detection on a combination of
• File Extension
• File Signature
• SWG support only
• Over 100 different file types supported more being added
• Users get block page for blocked extensions
• SSL Decrypt Encouraged

165
Extending SWG
Functionality

166
General CASB types (multimode)
Inline/ proxy Out of band / API

• High impact deployment • Low impact deployment

• Agent or traffic redirection • Agentless no user experience impact
• Real-time enforcement inline • Relies on API of cloud apps
• Limited east-west and cloud-to-cloud • Retrospective
• All application coverage • Near real-time enforcement
• Capabilities • Universal coverage
• App visibility and blocking • Sanctioned app coverage
• Advanced app control • Capabilities
• Block uploads (i.e. Dropbox/Box) • Data-at-rest cloud malware detection
• Block attachments (i.e. webmail)
• Tenant controls
• Inline DLP

There are two ways to provide CASB functionality. There are a set of pros and cons to
each.

Out of band: which means that the activity goes from the user directly to the SaaS
provider and then through an API connection the CASB applies policy to provide
visibility, protect the user or control their activity.
Inline: means that traffic to the SaaS provider is intercepted and scanning/policies are
applied before it reaches the SaaS provider.

Umbrella provides some inline CASB capabilities now and Cisco Cloudlock provides a
set of API-based capabilities.

167
Tenant controls
Select the instance(s) of core SaaS applications that can
be accessed by all users or by specific groups/individuals

Cisco.com
Corporate instance

Deb Smith
Personal instance

Bob Jones
Personal instance

Key use cases

Security Productivity
Ensure, sensitive data is created and stored Only provide access to corporate instances
in approved instances of cloud apps of core SaaS apps

• Cloud Access Security Broker (CASB) is another key functional area and getting
more and more integrated into Umbrella – Tenant Restrictions is key
• You may have Office 365, Slack or Gsuite or some SaaS applications where you
only want your corporate instance being used. Don’t want people exfiltrating data
– sensitive information or files -- out to their personal instance of Gsuite (for
example)
• Can do that within Umbrella now
• Variety key use cases – of course there’s the security use case I just mentioned but
there’s a productivity angle as well.
• You want people to use sanctioned corporate SaaS apps to boost their productivity
but don’t want them on personal instances doing other things during working
hours

168
App discovery and controls
Visibility into shadow IT and control of cloud apps

• Full list of cloud apps in use

• Reports by category and risk level

• Number of users and amount

of incoming and outgoing traffic
• Blocking of high-risk categories
or individual apps

Umbrella is now exposing Shadow IT and helping organizations enable healthy cloud
adoption with new App Discovery and blocking capabilities.

• There are three key challenges that we are addressing to help expose and manage
Shadow IT. The first one is visibility, How can you develop a cloud adoption
strategy and manage risk if you don’t even know what applications are in use?

• Visibility is the critical first step, but it isn’t enough on its own. A list of apps is
interesting, but with hundreds of SaaS apps in use at most organizations, the
security and IT team need “App and risk insight” help understanding the vendor,
app, and risk details to make informed decisions and actively manage cloud
adoption.

• All of this detailed information empowers business, IT and security leaders to

make informed decisions that improve collaboration and limit risk as they
transition to the cloud. Grouping apps by category and reviewing risk profile
information helps make selections of which applications to approve as well as
categories and applications that you want to block.

169
• Overall this visibility and control can help you manage cloud adoption by
optimizing productivity, controling cloud expenses and reducing the risk to the
organization.

169
Malware scanning is API-based, cloud to cloud

Unmanaged
users

APIs
Unmanaged
devices Cisco
Umbrella
Unmanaged
network

Managed Managed Managed

users devices network

Cloud malware scans data at rest in the SaaS service.

Cloud to Cloud scanning

170
Data-at-rest, cloud malware detection (API-based)
Prevent malware from spreading to additional endpoints and users

Files that contain malware in

cloud repositories can do damage

Malware enters/exits via:

• Endpoints that aren’t covered by Cisco
Secure Endpoint (AMP)
• Unmanaged devices
• External sharing (files with other companies)
Solution:
• Scans out of band repositories initially
and does real-time scans of saved files
Two apps included in SIG Essentials
All available apps included in SIG Advantage

There are a variety of ways that malware can get into cloud storage environments.
Unprotected endpoints, unmanaged devices and external sharing.

Our cloud malware detections functionality can both scan the exiting repository and
scan new file uploads for malware to keep your repository clean and prevent the
downloads of bad files to other endpoints.

Currently four apps are supported, as we add more apps SIG Adv will include them
automatically. See Icons for supported apps

171
SSL Decrypt

173
Why inspect HTTPS?
• Most of the web is now HTTPS
• What is visible in HTTPS without inspection?
- Server Name Indication (SNI)
- Source and destination IP addresses
- Server FQDN (from the server’s certificate)

• No URL visibility in HTTPS without inspection

With the increasing amount of web traffic that is encrypted now it’s important to
decrypt and apply policies to this traffic.

Only basic levels of information is available on encrypted traffic without this

functionality turned on and more attackers are using encrypted traffic to avoid
detection.

174
HTTPS traffic and URL visibility requirements
• Granular app control
• URL category blocking
• Full URL visibility/reporting
• AV scanning, file reputation and sandboxing
• Block page rendering
• Basically anything that can’t be accomplished
at the DNS layer

Encryption has to be turned on to take advantage of some other SWG functionality.

This deeper level of visibility is required to do granular app controls, URL level
functionality as well as file scanning/sandboxing and block page rendering.

175
Customer Signed Certificate Authority
• Support for customers’ signed
certificates for SSL Decryption

177
Web policies requiring decryption
• HTTPS blocking and monitoring
• Advanced application control
• Upload blocks, posts, shares, attachments
• SWG SAML for user granularity in SIG tunnels
• XFF Proxy Chaining for internal IP
• File type controls (block on certain extensions)
• File analysis
• AMP and AV
• ThreatGrid Upload
• Tenant Controls
• Warning pages
• Remote Browser Isolation (RBI)
• Data Loss Prevention (DLP)
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 179

179
How do we get traffic
to SWG?

180
AnyConnect Roaming (no standalone module)

Off network
HTTP CONNECT cisco.com:443 SWG
N
A • AnyConnect module redirects all TCP 80/443 traffic.
T • Traffic is sent in the form of explicit proxy requests.
On network • Identity is included in the requests.

Pros Cons
• Protects clients on and off network • Requires software management

• Plugs into existing AnyConnect deployments • Another endpoint agent

• Simple and consistent identity • No firewall support (yet)

• Mac and Windows compatibility

AnyConnect just sends explicit proxy requests!

Does not need to come from trusted networks because identity is shared in the
request (we will go into more detail on that in the identity section)

VPN is not necessary!

-AnyConnect is not just a VPN client!
-Roaming module (using stream interceptor) redirects web traffic to Umbrella
SIG

181
AnyConnect Selective Enable/Disable (Limited
Availability)

Remember this wonderful icon is SWG?

Well, the problem was that it enabled SWG for all users at the same time because it is
a global config. This became problematic when customers wanted to enable SWG for
POC.

This makes it hard for customers who want to test SWG on a small number of
computers and get their configuration right.

To control the rollout of SWG a user would also have to use GPO/script options to
disable the service as desired….which customers find ”undesirable”.

Fast forward to today: We have AnyConnect Selective Enable/Disable

SWG Selective Enablement is designed to allow customers to switch on SWG for a

limited number of AnyConnect Roaming Computers instead of switching it on/off for
the entire organization.

182
This feature is primarily designed to help users with testing the SWG solution on a
smaller subset of their Roaming Computers before they perform a full rollout.

How to?
Configuration
The option will be available on a per-Roaming Computer basis in the 'Deployments >
Roaming Computers' page.
The setting can be enabled on one or more computers by using the check -boxes on
the Roaming Computers page. It's possible to enable this on up to 100 devices at
once which is the maximum number visible on a single page.
The status of the setting is also visible when expanding the status of a single Roaming
Client

182
Best Practices- Anyconnect
• Recommended version for Anyconnect SWG deployments is at least 4.9 MR4 (4.9.04053)
• Confirm that the updated Umbrella IP ranges are permitted on the network from where AC SWG
connection is established.
• For bandwidth intensive or critical business apps/sites that require to exclude traffic from proxy
you can configure External Domains under Deployment/Domain Management
• I n ternal domains – Applies to DNS and SWG
• E xternal domains – Applies to SWG only
• Support to bypass IPs under domain management

• Enable of Trusted Network Detection when require to move AC SWG to standby state on -network
• Enhanced AD user identity for Anyconnect SWG 4.10.00093

https://support.umbrella.com/hc/en-
us/articles/360044123751-Disable-Umbrella-on-Trusted-
Networks-Protected-Network-Disable-for-Enterprise-
Networks

183
PAC file

N Trusted
A HTTP CONNECT cisco.com:443 SWG source
T network / IP
On network • Client reaches out from a network defined in the Umbrella organization.
• PAC file is returned with internal networks already defined to go direct.
• Other infrastructure URLs are also pre-populated to go direct.
• Explicit proxy requests go to proxy.sig.umbrella.com.
• Requests are again validated against the defined networks in the organization.
• TLS tunneled over HTTP.

Pros Cons
• Well-worn and tested technology • JavaScript knowledge required for customization

• Domain exceptions are incorporated automatically • No roaming support

• URL can be deployed via DHCP, GPO, DNS, etc. • Only works for management endpoints

Once the browser has consumed the PAC file, it can start making “explicit” proxy
requests
-”Forward” proxy requests (vs. “transparent”)
-Simply means the client knows about the proxy

Those requests are again validated against the trusted source networks configured in
the dashboard.

In an explicit HTTPS proxy request, the TLS tunnel is sent over HTTP.
-What does that mean exactly?
-Let’s look at some brief proxy fundamentals

184
IPsec

N
A IPsec TCP/UDP
SWG
T
On network

• Any capable device (IPSec Tunnel with IKEv2)

- CSR, ASA, ISR, Viptela device, Meraki device, Linux
server, Raspberry Pi, etc.
- Up to 50 tunnels (support ticket to add more)
• Gets traffic to the Cloud-delivered Firewall and
IPS/IDS
• No GRE available
- Competitive advantage
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 185

Competitors like zScaler offer GRE (no encryption) and charge extra for IPsec.
-IPsec also offers dead-peer-detection which helps us with failover.

185
Identity for SWG

190
User attribution and authentication

Security Assertion Markup Surrogate Intended support for

Language (SAML 2.0) support options browsers, may not work
for “desktop apps”
• Service Provider (SP): Umbrella • Cookie surrogate: Requires
HTTP/HTTPS inspection,
• Identity Provider (IdP): PingID, can specify timeframe expiry
Okta, Azure, Duo, OpenAM, ADFS,
and others via generic support • IP surrogate: HTTPS inspection
not required, more consistent
userID auths

IP Surrogates requires you can see the internal IP - this is available for Tunnels and
Proxy Chaining, but not PAC file or AnyConnect.

191
Multiple user attribution from single host

• Citrix/TS have multiple users behind • Cookie surrogate supports multiple

single IP address users to a single IP address
• Secure web gateway employs SAML • Supports virtual desktops (Citrix/TS)
authentication via cookie surrogate and published browsers (Citrix)

Users Shared host Webpage

Shared IP: 10.10.1.1

Historically customers using VDI environment with Umbrella DNS based protection
could not see WHO behind the shared host was making the webpage request.
However with SIG you can use SAML and Cookie surrogates to identify that user1 is
going to a website blocked by corporate policy.

The cookie is typically active for the time the VDI is used and removed when the VDI
session ends.

VA with AD connector can only support single user to an IP address

193
Web Policies

194
The Big Picture
Rules

Rulesets

Global

Global Layer will be where customers define settings, defaults and configurations that
have global effect
Rulesets will be logical containers where global settings and defaults can be
overridden for a set of rules
Rules define access control, and when or what security is applied

Policy destinations will be migrated to rules: content categories, destination lists, and
application settings
Policy settings will be migrated to “global settings/defaults”
Policies will be migrated to rulesets

195
Policies vs. Rules
• Policy matches on identity, rules match on identity and destination
• Policy applies actions in a hard-coded order of operations, a
matched rule applies the action it is configured for; rules can be
ordered to achieve the desired behavior
• Policies must be cloned for per user/group exceptions, rule
exceptions can be achieved by adding and/or reordering rules

196
The Anatomy of a Rule
• Priority (rule order)
• Action
• Identity (source)
• Destination

197
Rule Identities
• Users
• Groups
• Computers (with AnyConnect)
• Internal Networks
• Tunnels
• Networks (egress IP)
• Special “all policies identity” during interim state

198
Identity Order
• Users
• Groups > Users
• Computers
• Tunnels > Internal Networks
• Networks > Internal Networks

199
Rule Priority
• Rules are evaluated top-down
• Changing rule position changes rule priority
• Rule match applies the rule action, stops rule processing
• Every transaction is evaluated against the rule stack

200
Rule And Policy Interaction
• Policies are matched prior to rule matching
• Once a policy is matched, only the rules within the policy are
evaluated
• Any transaction that does not match a rule will be “implicitly allowed”
as per the legacy policy behavior

201
Taking Action
• When a rule is matched, one of the actions is applied:
• Allow > grants access to the requested URL but blocks if any security
category is matched or file scanning detects malware
• Block > presents end-user with a block page
• Warn > provides end-user with “warn page”
that will Allow if clicked-through
• Warn leverages a browser cookie to set
warn status on domain
• Currently destination lists only can apply
Allow or Block actions
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 202

202
Apply Security, or Not Apply Security?
• Apply action has a unique override setting which will Allow access to
requested URL without observing security categories or file
inspection verdict
• Use cases for security override:
• Emulate legacy policy behavior of “explicit
allow”
• Work around false positives
• Investigate security blocks

• Security override cannot be applied to

203
Example Web Policy
Ruleset = match all roaming computers

Warn = if source roaming computer and destination webmail then warn

Block = if source roaming computer and destination auction then block

Isolate = if source roaming computer and destination social networking then

isolate

Allow-no-security = if source roaming computer and destination DEST_LIST

then allow

Ruleset is like a “container” of rules, there is one match for going inside the
“container” and matches for specific rules, can be used as AND condition “network
identity (ruleset) and user (rule)”
Rules should match source and destination
Hidden default allow all in the end of each ruleset

204
Example Policy View

Policy sample with single ruleset

Ruleset condition = all AnyConnect devices
Rule condition = AnyConnect but can easily be changed to user based for the PoV

205
Umbrella policy tester

Allows you to test your policies

to determine if they are working
without having to test them from
the computer, network, or identity
to which the policies are applied
The results include:
• Triggered Identity
• Destination
• Result
• Destination List/Security Settings/Category Settings
• Categorization
• Policy applied

This is a competitive differentiator, other vendors do not have this

207
Module 7
Advanced SWG

208
Remote Browser
Isolation (RBI)

209
UMB SIG
DLP
OR

RBI - Overview DNS CDFW SWG RBI NAT

CASB

• RBI is an Umbrella SWG feature that allows Categories And/Or Destination

Lists to be configured for 'Isolation' in Umbrella Web Policy Rules.
• When Isolation is enabled, Active Content (such as scripts, images, macro
enabled documents) on websites are executed in the cloud. The client
downloads the sanitized result instead of downloading and executing the
potentially harmful script in their browser.
• RBI Protects identities from potential malware and other threats by
redirecting browsing to a cloud-based host
• Works by rending web sites in a disposable virtual container(Chromium) in
our isolation platform, then sending just that rendering to your browser
• RBI provides file Isolation & sanitization

210
RBI Integrated in Web Rules

No additional dashboards, added polices, different logging sources, or identities. You

want to add RBI? We just add it to your existing dashboard, configure isolation policy
and leverage all the existing work you’ve already done. Simple and exemplifies SASE
direction.

211
Animation

SIG
RBI traffic flow overview DNS CDFW RBI SWG NAT

CASB

Isolation
platform
SWG File inspection
(AMP/TG)

Web browser Website

(client) Umbrella Cloud

Client – Mention only browsers are supported. Other apps (ie Facebook for iOS) will
not be isolated

File inspection occurs if user downloads file. Call out file download options (cleaned
PDF or file format stripped of macros)
Supported file types for download and action taken are listed here
https://support.umbrella.com/hc/en-us/articles/360060113992-Cisco-RBI-Remote-
Browser-Isolation-Supported-Formats-for-Document-Isolation

Encrypted archives are supported. They are extracted into the RBI platform and you
are able to download out a specific file from the archive.

212
What can be isolated?
• Browser traffic only.
- User-agent based filtering in Umbrella proxy.
- Umbrella: Non-browser traffic ==> Allow with security

• Top level page request only.

- Browsers treat some iframes as top-level page requests.
- Resource request within a page cannot be individually Isolated.

• Examples:
- Isolating an image loaded by page which is not isolated is not possible.
- Isolating an app action without isolating the app is not possible.

213
RBI - Three package options
• Isolate Risky
- Isolate uncategorized websites
- Isolate security categories (including Potentially Harmful)

• Isolate Web Apps

- Isolate popular communication and collaboration applications like Box, Slack, Gmail
- Content categories: Chat/IM, Social/Personal Networking, File Storage/Transfer,
Webmail/Organization Email

• Isolate Any
- Isolate any chosen destination, including content categories, security categories,
destination lists, applications, uncategorized, etc.

© 2021 Cis c o and/or its affiliates . All rights res erv ed. Cis c o Confidential
RBI - Requirements
• HTTPS inspection must be enabled in the ruleset
• Domains/URLs required or intended for isolation cannot be included in Internal,
External bypass list or SSL decryption lists
• Browsers: Access to third-party cookies enabled
• Minimum supported browser versions:
- Apple Safari 9
- Google Chrome 34
- Microsoft Internet Explorer 10
- Microsoft Edge 12
- Mozilla Firefox 17
- Samsung Internet 11

215
RBI - Use cases
• Isolate risky destinations
- Uncategorized destinations, destinations in a particular content or security category
- Allow safe access to risky sites
- Ability to go to web apps but with some safeguards such as the ability to download
sanitized version of a document

• Isolate specific users

- Teams receiving unsolicited contacts, emails, attachments, and URLs such as
human resources, accounts payable/receivable, customer support, etc.
- Executives, users with access to sensitive data or critical systems, threat
researchers

• *RBI focuses on specific use-cases rather than isolating all web traffic.
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 216
RBI - Use Cases Document Isolation
Document downloads will open in a cloud-hosted document viewer within the web page
instead of being downloaded automatically.

This is to protect the user against harmful 'macros' or embedded code that could be within
the document. However, the user will have the option to download the original
(unsanitized) version of the file, or a safe PDF converted version.

D o cument name
D o wnload Original (Unsanitized)
D o wnload PDF version (Sanitized)

D o cument Contents

217
RBI - Isolated Page Appearance
• Identify the Cisco Isolate Icon

218
RBI - Considerations
Sup ported files formats

The ability to view in web isolation or

download protected version as listed, only
applies if you are already in an isolated
location when you click the link.

File download is subjected to file type control

configured in the web policy.

https://support.umbrella.com/hc/en-us/articles/360060113992-Cisco-RBI-
Remote-Browser-Isolation-Supported-Formats-for-Document-Isolation

222
RBI - Reporting – Website isolated
Activity search > check the filter “Isolate”

224
Data Loss Prevention
(DLP)

225
SIG
DLP
OR

DLP - Overview DNS CDFW SWG RBI NAT

CASB

• Monitors sensitive information or content classified as personally identifiable.

• When necessary, content is blocked from being uploaded to the web.
• Monitor potential information leakage.
• Prevent potential information leakage, by blocking based on the data
classifiers and identifiers, for the supported applications and workflows.

226
Multimode Cloud Data Loss Prevention (DLP)
Unified policies and reporting for a single customer experience

Real-time (inline) DLP SaaS API (out-of-band) DLP

• Works via Umbrella Secure Web Gateway proxy • Works via cloud APIs for data at rest;
no web proxy required
• Scans web traffic inline for real-time enforcement
• Scans web traffic out-of-band with near
• All application coverage: Sanctioned and unsanctioned
real-time enforcement
• Sanctioned app coverage

Cisco Cisco
Umbrella All destinations Umbrella
Real Time DLP SaaS API DLP

Same management interface

I have three enhancements to let you know about for CASB. The biggest one is
Multimode cloud DLP, which we plan to have generally available on November 30th.

What this means is that Umbrella will provide not just inline DLP, but also out-of-band
DLP.

Umbrella inline DLP scans outbound web traffic in real time through our secure web
gateway proxy, whereas out-of-band DLP is API-based and scans web traffic while it’s
at rest in the cloud, without going through a proxy, but with near real -time
performance.

The out-of-band DLP will support Cisco Webex, Google Drive, and Microsoft 365 (one
drive and sharepoint) at first, but support for more platforms will come later.

From a branding and user interface perspective, we are calling the inline DLP “Real -
Time DLP”, and the out-of-band DLP “SaaS API DLP’.

A VERY important point to make, is that other vendors do already provide both
modes of DLP, but a key differentiator in Cisco Umbrella will be the unified policies

227
and reporting between them, giving customers a single interface experience,
whereas the other vendors deliver two separate policy and reporting experiences,
so there’s a lot of back and forth between them that Umbrella customers won’t have
to deal with.

227
Multimode DLP: Exact Data Matching (EDM)
Reduces false positives while increasing true positives

Exact Data Matching monitors multiple values

of a data record at a time
• Significantly increases detection accuracy
• Nearly eliminates false positives

Umbrella enables customers to easily configure

the EDM and protect their most sensitive data sets
Configuration workflow:
• Define the template for the data records as a Custom
Data Identifier
• Run a one-line command with the indexer tool which uploads
a bloom filter file of indexed customer records
• The EDM Identifier containing the indexed data is ready to use
as criteria to the DLP rule (inline and out-of-band)

Exact Data Matching is an advanced and flexible

classification and detection technique that allows
customers to protect their sensitive data records that are
maintained in a tabular format, by matching multiple
values in a data record rather than a single value.

What this means in everyday English, is, let’s say you

have a data record like a person’s full name, along with
maybe their social security number, a phone number,
maybe a birthdate or a credit card number. If you
identify a match of just one of those components that
triggers an alert, you may get several false alerts.

But matching two or more values of a sensitive record,

228
like a combination of both name and social security
number, more strongly indicates the presence of a
sensitive record that should be protected.

That’s what Exact Data Matching does. You get better

efficacy, accuracy, and a higher level of trust.

What is Exact Data Matching and what is the value to

Umbrella customers?
Exact Data Matching is an advanced data classification
and detection technique allowing customers to protect
their sensitive data records maintained in a tabular
format, by only matching against the values of their
genuine records. Some examples of sensitive records:
customer records, employee records, corporate credit
card records, etc. While you can protect these records
using existing pattern matching capabilities such as regex
patterns and dictionary terms, these methods are
relatively complex and inherently prone to false
matching. For example, matching a single part of a
sensitive record (e.g. name, social security number,
phone number) might not be useful and can result in a
false match. However, matching two or more values of a
sensitive record, for example, combination of both name
and social security number strongly indicates that
sensitive records are present.

228
Umbrella’s Exact Data Matching solution is a high
efficacy solution that reduces false positives while
increasing true positives, helping customers protect their
most critical data assets. Essentially, EDM fingerprints
sensitive data records from structured sources, such as
databases or spreadsheets, then monitors the
fingerprinted data and blocks it from being shared or
transferred inappropriately. Customers have great
flexibility in defining what is the most critical part in a
data record (for example could be the employee’s SSN)
and the fidelity of detection: should an event be raised
upon detecting a record in its entirety or would a partial
match suffice?

Does this mean we store copies of customer sensitive

data?
No, we do NOT keep a copy of customer data as that
would be unacceptable. Instead, customers use a tool
that we provide to create irreversible hashes of their
records and upload them to our DLP service. In turn, the
DLP engine will use these hashes to match against the
scanned content.

Will Exact Data Matching work with both Real Time DLP
and SaaS API DLP ?
Our Multimode DLP product provides unified data
classifications to simplify policy creation for both data-in-
motion and data-at-rest. Therefore, EDM and all other

228
data classification techniques are supported by both Real
Time and SaaS API DLP products.

Where in Umbrella can I configure Exact Data

Matching?
Configuring Exact Data Matching is accessible in the
Umbrella dashboard via:
Policies --> Policy Components --> Data Classification -->
Exact Data Match Identifiers

228
Animation

Umbrella multi-mode DLP: Unified policy & reporting

Unified Reporting eliminating frustrating pivoting like

some competitor solutions (e.g Zsclaer)
One convienent
Shared Data Classifications dashboard
simplifying policy to manage both
Realadmin
creation and reducing Time and SaaS API rules
burden

229
Animation

Umbrella multi-mode DLP: Rich context & forensics

Detailed Event Data, including File Properties,

Site/Application Categorization, Event Timeline
Unique
Forensicsevent
information
timelinehighlighting
to provideviolating
quick, at-a-
sensitive and Forensics
glance filedata
and event history answering critical
Enables DLP
security analysts toquestions
investigation validate violation and
provided
• Who is guidance
the Filetoowner
end-userfor remidation
remediation?
• When was sensitive data exposed?
• Which action has been taken?
• Time-to-Detect and Time-to-Remediation

This unified reporting is a competitive differentiator for customers interested in our

DLP. With other vendors you have to go to multiple windows to see this same
dataset. We designed this with the DLP admins workflow in mind.

230
Inline DLP - Fully integrated into SWG
• Cloud-native, leveraging SWG for connectivity, routing and SSL decryption
• Robust DLP classification via 80 pre-built data identifiers and user-defined
dictionaries for custom keywords
• Flexible DLP policy for granular control, targeting data, users/groups,
locations, cloud apps, destinations
• Detailed reporting for incidents covering identity, files names, destinations,
classification, pattern match, excerpt, triggered rule

231
DLP - Configuration Overview
P lan and design your C onfigure your Data C onfigure your DLP
Dat a Classifications C lassifications R u le

• Data Classifications are • The DLP rule will perform a

groups of d ata identifiers. m o nitor or block action
• Ad d the b uilt-in Data
when the conditions are
I d entifiers of your choice.
• Data Classifications can met.
include b ui lt-in, and cus tom
• Configure and ad d y our
d ata identifiers. • C ho ose a severity for your
C us tom Data Identifiers.
DLP rule based on the risk
• B ui lt-in data identifiers are involved.
• S e t a B oolean o perator that
PIIs (personal identification
will allow you to control
information) already • Ad d the SWG i dentities,
whether all, or at least one
provided by Umbrella. your Data C lassifications ,
data identifier must match
Fi l e Labels, destinations and
to trigger the DLP rule.
• C us tom data identifiers are e x clusions into the DLP
defined by the user. rule.

232
DLP events in reports

237
Module 8
Investigate

238
Investigate: the most powerful way to uncover
threats
Key points
Intelligence about domains, IPs,
and malware across the internet

Live graph of DNS requests and

other contextual data
domains, IPs, ASNs, f ile hashes
Correlated against statistical models
API

Discover and predict malicious

Console SIEM, TIP domains and IPs

Enrich security data with global intelligence

- In a single, correlated source, Investigate provides the most complete view of the
relationships and evolution of domains, IPs, autonomous systems (ASNs), and file
hashes, and adds the security context needed to help you uncover and predict
threats.

- Investigate leverages a live graph database of DNS requests and other contextual
data. We take this massive amount of data and apply statistical models to it.
This helps us automatically discover and predict malicious domains and IPs.

- Additionally, with this information, you can enrich your existing security data with
our global intelligence.

- Investigate provides access to this intelligence via a web console or an API.

239
A single, correlated source of intelligence
Passive DNS database
WHOIS record data
Malware file analysis
ASN attribution
IP geolocation
Domain and IP reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution

- All of this intelligence is available in a single, correlated source with Cisco Umbrella
Investigate.
- One of the biggest differentiators with this tool is that we are bringing together
many pieces of information.
- Without Investigate’s aggregate intelligence, organizations would need to try to get
this information from many other places, which is time consuming and only shows
one piece of the puzzle. Security teams are then left to figure out the correlations and
connections manually.

Additional Notes:

Passive DNS = historical DNS data (other vendors: FarSight)

Domain reputation (other vendors: Webroot)
ASN Attribution (IP-> ASN) (other vendors: Team Cymru)
IP Geo Location (other vendors: Maxmind)
IP reputation (other vendors: Norse)
Domain co-occurrences (no one else provides this)

Anomaly detection- DGA/fast flux detection

240
Domain to IP relationships (passive DNS)

domain1.com domain2.com domain3.com

10 JAN 2016 11 JAN 2016 12 JAN 2016

12.4.0.4/32

- With Investigate and our wide view of internet infrastructure, we can see
relationships that otherwise would go undiscovered.
- One example, is the relationship between domains to IPs.
- Here, you can see that these three domains were all mapped to the same IP address
on different dates.
- This kind of insight would be especially important if you’re investigating an IP
address.
- Let’s say that this IP historically hosted only 3 domains, but Investigate can show you
that in the past week, this IP started hosting 10 new domains, 5 of which are
associated with malware.

241
Domain → IP → ASN relationships

AS 3462 AS 701 AS 12271

1.168.6.17 100.2.65.157 104.162.93.136

domain1.com

- You can not only pivot between domains and IPs, but also ASNs.
- Think of ASNs as neighborhoods on the internet…you have your good
neighborhoods, your bad ones, and the neighborhoods you’re weary of.
- Investigate correlates and maps all of these relationships and enables you to pivot
between domains, IPs, and ASNs during incident investigations. By pivoting between
these, you can actually map out attackers infrastructure and uncover future attack
origins.

242
Domain co-occurrences

domain3.com domain4.com domain5.com

0 second 0.005 second 0.007 second

0.001
0.002
0.003
0.004
0.005
0.006
0.007
0 second
second

55.71.2.8/32

- If you recall earlier, we mentioned that every day we see more than 80 billion DNS
requests from about 65 million users worldwide.
- This gives us great insight into the patterns of DNS requests that are made from
people globally. You might be wondering what insight we gain from that data.

Alternative star if you mentioned co-occurrence model: You’re already familiar with
the co-occurrence model that pinpoints domains that are visited right before or after a
certain domain is queried. Well domain co-occurrences are also available in
Investigate.

- Consider this example: when you visit a website and it contains ads or content
hosted on third-party servers, then milliseconds after the initial domain is queried,
multiple other domains are also queried.

[CLICK]

- This shows a temporal pattern, and when we correlate it with millions upon millions
of patterns from our global user base, it enables us to statistically observe which
domains always follow or precede other domains in short time intervals.

243
- By looking at domain co-occurrences, we can uncover other domains that might be
related to the same attack. For example, you might visit one domain, but then you
could be automatically re-directed (without even knowing it) to a site that hosts
malware. Investigate can show you any co-occurrences and related domains for a
domain that you’re researching.

243
IP geo-location analysis

Host Infrastructure DNS Requesters

Location of the server Location of the network and off-network
IP addresses mapped to domain device
IP addresses requesting the domain

Hosted across 28+ countries Only US-based customers

requesting a .RU TLD

- Another element we analyze is where the IPs are hosted. Malicious hosts tend to
have multiple IP addresses that are located far away from each other, not on the
same network – since they are often compromised servers themselves. Here we can
see that this domains is hosted by IP addresses in more than 20 countries. While this
doesn’t confirm that it’s malicious, it ’s another piece of evidence.
- We also analyze the relationship of where the domain is hosted and where people
who are requesting the domain are located. For example, if a domain name has a
country-code in Russia but has a large amount of traffic from far away from that
country (i.e. the US), it is suspicious!

244
WHOIS record data
See relationships
between attackers’
infrastructure
• Who registered the domain
• Contact information used
• When/where registered
• Expiration date
• Historical data
• Correlations with other
malicious domains
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 245

- Attackers try to hide their tracks by changing their information when registering a
new domain, but they sometimes forget. So even a single piece of information can
give vital clues about the attacker or campaign.
- By incorporating WHOIS record data in Investigate – users will have insight about
who registered a domain, when and where it was registered – including contact
information and any changes over time.
- Our intelligence provides visibility into any malicious domains registered using any
of the same contact information, which can be used to tie attacks together.

245
Malware file
analysis data
Powered by Cisco Secure
Malware Analytics
(Formerly known as AMP
Threat Grid)

- And with the integration of Cisco’s AMP Threat Grid data in Investigate, Investigate
can be used to uncover intelligence about the attacker’s piece of malware.
- Similar to how Investigate provides intelligence about the relationships between
domains, IPs and ASNs, Cisco AMP Threat Grid provides intelligence about malware
files so security teams can quickly understand what malware is doing or attempting
to do, how large a threat it poses, and how to defend against it.
- In Investigate, you can query by file hash (SHA256, SHA1, or MD5) , domain, IP, or
ASN. And get more insight into which are file hashes calling out to a given domain
with associate samples, their threat score, behavioral indicators, and other file
analysis data.
- Threat Grid license holders can even pivot directly into Threat Grid with a click of a
button

246
You know one IOC We know all its relationships

Your local intelligence Our global context

- You (the customer) may have one Indicator of Compromise (IOC), such as a
suspicious domain.
- We know all of the relationships with our global context. For example, we can tell
you all of the IP addresses its hosted on, which autonomous systems it’s associated
with, other related domains that it’s frequently queried with, its reputation, and
more.

247
Use our global intelligence to…

Prioritize Speed up Stay ahead Enrich other

investigation investigations of attacks systems with
and response live data

We see customers using Investigate in 4 major use case categories:

- First to prioritize incident investigations: To properly triage incidents, you need to

get accurate information and the relevant context quickly. Our unique view of the
internet enriches your security event data and threat intelligence, with global context
to help better prioritize investigations & incident response.

- The second major use case is speeding up investigations: Incident response times
can lag when security teams do not have the right context or access to pertinent
information early in the investigation. Investigate provides a single, correlated source
of threat intelligence about domains and IPs across the internet, and helps security
teams quickly do research during investigations.

- Third is using it to stay ahead of attacks: With Investigate you can uncover
infrastructure that attackers are leveraging for current attacks and even find domains
and IPs that they might leverage in the future. By finding related infrastructure, you
can proactively protect your organization from future attacks.

- The fourth use case category is enriching other systems with live data: There are

248
lots of ways that you can integrate Investigate with existing systems—for example, IT
ticketing systems or threat intelligence platforms— and enrich the data with our up-
to-the-minute, internet-scale intelligence.

248
Splunk Add-on for Cisco Umbrella Investigate
Automatically enrich security alerts inside Splunk,
allowing analysts to discover the connections between
the domains, IPs, and file hashes in an attacker’s
INVESTIGATE
infrastructure.

domains, IPs, ASNs, f ile hashes

API

Splunk Add-on for Cisco Umbrella Investigate:

- Automatically enriches security alerts inside Splunk, allowing analysts to discover
the connections between the domains, IPs, and file hashes in an attacker’s
infrastructure.
- As a result, improves SOC efficacy to better triage and respond to critical incidents,
and even uncover potential threats.

249
Module 9
Operations &
Troubleshooting

250
Umbrella Operations

251
Service Health
• Bookmark http://208.69.38.170/ and https://146.112.59.2/#/ so you can check
the Umbrella System Status pages even if local DNS is not available.
• Subscribe to the Cisco Umbrella Service Status page
at https://146.112.59.2/#/ to receive notifications about Service
Degradations, Service Outages, and/or Maintenance & Events.
• Follow the Service Updates subpages of https://support.umbrella.com/hc/en-
us/categories/204185887-Service-Updates
- Service Notifications: https://support.umbrella.com/hc/en-us/sections/206593887-
Service-Notifications
- Announcements: https://support.umbrella.com/hc/en-us/sections/206896108-
Announcements
- Service Updates: https://support.umbrella.com/hc/en-us/categories/204185887-
Service-Updates
• Periodically check the Cisco Umbrella Dashboard "Message Center" for product
alerts and notifications.
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 252

252
Multi Factor Authentication (Dashboard)
• Implement two-step authentication (also known as two factor authentication)
for Umbrella dashboard users, as
per https://docs.umbrella.com/deployment-umbrella/docs/enable-two-
step-verification
• SMS OR IdP are the options.

253
APIs to easily enable integration
Enrich data and extend protection across existing tools and workflows
CUSTOMER ENVIRONMENT UMBRELLA APIs

Network
devices
Umbrella
Network Enforcement Investigate
device API API API
Security
stack

Workflow Reporting Management

API API

Today, we have APIs that do some pretty amazing things, such as add more value to
existing products and make the deployment of Umbrella across a Meraki
network even easier.

In the future, we want to extend the capabilities of Umbrella even further — by

allowing our customers to do anything they currently do in our product via API.

Looking more closely @ the APIs available today, which include:

• Network device API – easily deploy/register hardware devices within Umbrella,

and set policies/view reports by device
• Enforcement API – automatically add malicious domains from other security
systems to Umbrella to be blocked
• Investigate API – inject context on malware, phishing, ransomware, botnets and
other threats into SIEM or other tools (details on domains, IPs, URLs, files, etc.)
• Reporting API – extract key security events from Umbrella and integrate with SIEM
or other security orchestration tool
• Management API – manage organizations, networks, roaming clients, and more
from your own systems

254
The new API keys*

Name

Groups = Use cases Permission

API key Key secret

Intuitive experience that makes it easy to rapidly leverage APIs

Tailored access to a flexible and broad collection of APIs with highly customizable API
keys

Unified Authentication: One method of authentication for Management, Network

Devices and Reporting API set

Ability to create multiple API keys and give them meaningful names

Legacy API keys are still supported. Cisco integrations are hard coded and require
those devices to be upgraded before they can support the new v2 API keys. Until then
customers must use the legacy API keys for Cisco integrations

255
Reporting

256
THREATS REPORT Quickly spot and remediate victims
Recent threat trends

Breakdown of threat types

Top identities impacted by

threats with ability to drill down

257
DESTINATION REPORT Quickly assess extent of exposure

Local vs. global trends

for malicious domains

Top identities associated with

malicious activity

- Like the Identity reports, Destination reports will also be available laterin 2017.
- Destination reports enable a customer to investigate every malicious domain
attempted to be accessed from their organization.

Specifically, they see:

- Traffic volumes - How prevalent is this attack in my network?
- Global Traffic % - Is this attack targeted at me?
- Top Identities- Who has been infected that I might need to remediate?
- Relevant policies - Why is this being blocked?

For example, if you see that Umbrella blocked a user from going to
internetbadguys.com, you can view more detailed information like when the request
happened, who it came from, why it was blocked and more. With the local vs. global
data, you can also assess the likelihood that it is a more targeted attack. Has Umbrella
seen other people going to internetbadguys.com or are requests only coming from
you?

258
APP DISCOVERY REPORT Manage Shadow IT to enable secure cloud adoption
Ability to easily block
unapproved apps

Status of discovered apps

Summary of high-risk categories

Visibility into cloud app usage

by risk with links to app details

Specifically, they see:

259
Logging Best Practices
• Detailed logs are only kept for 30 days, then they are broken down into
aggregated report data.
• If you wish to keep a copy of the more detailed data longer than 30 days, set
up an Amazon S3 bucket to export your data to at "Settings -> Log
Management” or configure log ingestion on the customer SIEM.

260
Log storage with Amazon S3

S3 benefits EU data warehouse available

• Triple redundant and encrypted storage • Ease data security concerns
• Pre-built SIEM/log analytic integrations • Store data in EU facility
• Use self-managed or Cisco-managed bucket • Use multi-org console for different storage
settings for different locations
• Centrally managed S3 logs

Pre-built integrations
TAP
Every 10 min
HTTPS | S3 Any SIEM
Amazon APIs

Umbrella Visibility on- or off-network

All logs SWG, CDFW and DNS logs. Not WC3

- When it comes to logs, another capability of Umbrella is the ability to export DNS
logs to Amazon S3 for long term storage.
- Umbrella will store logs for 30 days, and we have built an integration where you
can export logs at regular intervals to Amazon S3.
- By using this, you can store logs for as long as needed and even export the logs
from Amazon to a SIEM.
- Many customers ask for this functionality because they want the ability to go back
and review DNS logs when responding to an incident. For example, they may need
to go back to research an incident that may have occurred 2 years ago, and this
gives them the ability to retain logs as long as needed.

Do you have concerns about where your Cisco Umbrella logs are stored?
• With EU data sovereignty laws, storing EU-citizen data in a US-based data center
can complicate things for EU companies.
• Cisco Umbrella now makes it easy for EU companies to store their log data in the
EU.
• You now have the option to select an EU-based data center in Frankfurt, Germany

261
for your Umbrella log data storage.
• With our Multi-org console, you can also support both EU or US log storage
• You can configure Umbrella to have child orgs point to either storage location

261
Basic Troubleshooting

262
Useful information

• Verify if you are using the service

• https://welcome.umbrella.com/

263
Basic Troubleshooting – My IP address

When troubleshooting issues where networks are involved you may need to determine which IP you are
leaving your network from; the command below can help determine this for you.

nslookup myip.opendns.com
Server: 171.70.168.183
Address: 171.70.168.183#53

Non-authoritative answer:
Name: myip.opendns.com
Address: 128.107.241.167

264
Basic Troubleshooting - Dig
The next three command line examples are nslookups to one of our test domains that should be getting blocked
for hosting malware. The first two examples show the domain responding correctly and the last which is
pointed at another DNS resolver that we don’t control shows the domain not getting blocked. This is a quick way
to test if blocking is occurring still.

nslookup internetbadguys.com nslookup internetbadguys.com 208.67.222.222

Server: 171.70.168.183 Server: 208.67.222.222
Address: 171.70.168.183#53 Address: 208.67.222.222#53

Non-authoritative answer: Non-authoritative answer:

Name: internetbadguys.com Name: internetbadguys.com
Address: 146.112.61.107 Address: 146.112.61.107

265
Basic Troubleshooting – debug.opendns.com
The output here contains a few pieces of information
worthy of note. Orgid and Organization ID are the same
value and represent the number assigned to your
Dashboard. This number can be checked to make sure
you are getting a policy from your Dashboard.

Bundle is the number string that is tied to the policy the

device is getting applied to it. This can be compared
against other devices in similar policies to make sure
they are being protected by the same policy.

Should this command not output like this, there is most

likely a problem with the DNS server being used not
being either the Loopback address or being pointed
out to our resolvers directly.

266
For a full listing of Umbrella Test Domains
Umbrella Test Domains refer here:
https://support.umbrella.com/hc/en-
us/articles/115000411528-What-are-the-
• Test Phishing: Umbrella-Test-Destinations-The
• http://www.internetbadguys.com
• Test Malware:
• http://www.examplemalwaredomain.com
• http://malware.opendns.com/
• Test CnC:
• http://www.examplebotnetdomain.com
• Test Content Filtering:
• http://www.exampleadultsite.com
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 267

267
Verify Cisco Certificate

• For HTTPS decryption and block page verify that Cisco Certificate is
installed.

268
Talos

https://talosintelligence.com/reputation_center/lookup

This domain allows you to query

domains to determine if they are
blocked and will also tell you their
content category.

269
Customer Health Check Checklist
https://learn-cloudsecurity.cisco.com/umbrella-resources/umbrella/customer-health-check-
checklist

270
Policy Debugging

271
Policy Tester

• Available under Policies > Management > DNS Policies > Policy Tester (Top Right Corner)
• Works by determining if specified identities can reach specified destinations based on current
policy settings.
• Only able to test against domains as destinations. URLs, IP addresses and CIDR ranges are not
supported and do not return results.
• For details on specific limitations please refer here.

Starting with our SD-WAN integration

• This integration enables organizations to easily incorporate additional layers

272
Policy Tester Results

• Trig gered Identity—The identity that has triggered the result. This is important if there is
more than one identity specified.
• Destination—Destination the test has attempted to reach.
• Result—Blocked or allowed. If blocked, it also lists why. The reasons include security
settings, category settings, and domain lists. Also, the name of the setting is listed.
• Destination List/Security Settings/Category Settings —For blocked results only. The
name of the setting or destination list that caused the block.
• Categorization—Umbrella's categorization of the destination. If there is no match, then
this information does not appear.
• Policy A pplied—The name of the policy against which the identity was evaluated.
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 273

Starting with our SD-WAN integration

• This integration enables organizations to easily incorporate additional layers

273
Block Page Diagnostic

274
http://policy-debug.checkumbrella.com
Link to the WEB policy
Umbrella ORG Id
Umbrella Origin ID
Ingress and egress IP

Troubleshooting
WEB Policy –
Endpoint view

275
Umbrella Support

276
Summary of software support deliverables
For Umbrella packages
Software support for Cisco Umbrella

Enhanced Premium
Deliverables Required for Cisco Umbrella packages* Optional upgrade

Software technical support ● ●

24x7 access to Cisco Cloud Security Support: Phone/online

Initial response target 30 minutes 15 minutes

Severity 1 and Severity 2

Software updates ● ●
Prioritized case handling Prioritized over Basic option Prioritized over Enhanced option
Primary point of contact with software expertise ● ●
Onboarding guidance for Smart Accounts, configuration, migration,
● ●
and IT software integration
Learning and training** ● ●
Guidance for software usage ● ●
Support case analytics ●
Designated service management: assigned expert who provides incident, case,
●
and change management plus proactive consultation and recommendations

Note: Required attach for Cisco Umbrella packages DNS Essentials, DNS Advantage, and SIG Essentials
© 2023 Cisco and/or it s af f iliat es. All right s reserved. Cisco Conf ident ial 277
** Feature is dependent upon support contract amount

Note to speaker: same speaker notes as previous slide on SIG-A: speak to

details here or on previous slide

As with all of our packages, support attach is required: Enhanced is a 10%

and Premium is 20% upcharge

277
Opening a Support Case
1. You can email [email protected]
2. You can also contact umbrella via the dashboard. At the
bottom of the left-hand navigation bar you will see a
section labeled "Need Help". Here you will find the
email as well as the phone number, if your package
provides phone support.
3. Lastly you have the option to open a support case
within the support.umbrella.com portal. In the upper
right-hand corner you will see a blue "Submit a
request" link. Click on that and you will be able to
provide all the details required.

Starting with our SD-WAN integration

• This integration enables organizations to easily incorporate additional layers

278
Module 10
SecureX

280
Introducing SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Unified visibility Your infrastructure

Network Endpoint Third-party/ITSM Intelligence

Cloud Applications Identity SIEM/SOAR

Detection Investigation Managed Orchestration

analytics remediation policy automation

Goals

Establish that SecureX:

• is embedded into every Cisco secure technology and is not just another layer of security
• can improve cross-functional collaboration by incorporating key teams
• is a cloud-native platform that simplifies the security experience by addressing more than just SecOps use
cases
• allows you to start small and grow as your needs dictate

Narrative

[146 words / 01:10min]

SecureX transforms your infrastructure from a series of disjointed solutions into a fully integrated ecosystem,
because it builds in capabilities across our portfolio AND connects to third-party tools, to enable intelligence
sharing and coordinated response – preventing threats from bypassing overwhelmed security teams.

We know you use other vendors besides Cisco. So, we’ve prioritized SecureX to be integrated and open to work
with every tool — Cisco or otherwise. If you rely on Microsoft to store identity, Splunk to store data, ServiceNow
for IT service management, or even our direct security competitors – great, connect them to SecureX!

Do you know of any other cloud-native platform that can simplify the security experience for ITOps and NetOps in
addition to SecOps?

281
SecureX isn’t another technology layer — rather it maximizes the potential of your existing security solutions. You
can start small with a single product and grow as your needs dictate.

281
SecureX architecture
SecureX sign-on with Duo MFA Ribbon framework
SecureX
Cisco products

Metrics Launch
Third party Dashboard TALOS

Context Response Local context

Intelligence Triggers Intelligence

Apps
Relay modules/ Threat response across
Response Response all Cisco
open APIs (unified visibility)
Secure
products
Response Response

Triggers Triggers

Approval Orchestration
task/schedules (custom workflows)

Cisco SecureX is Network Endpoint Cloud Applications

included with any

Umbrella or other
Cisco Security product
subscription

Objective: Show Duo Beyond is a part of Cisco’s (Zero) Trust approach

Key talking points:

● Old perimeter isn’t going away
● Perimeter is wherever you have to make an access control decision
● (Zero) Trust means you establish user and device trust before granting
access; not implicitly trusting users and devices based on their network
location.
● Cisco limits the time and privileges for “trust” to persist as near “zero” as
practical, but without forcing the user to re-authenticate every minute.
● With (Zero) Trust, you have to verify user identities and validate their
devices
● Duo Beyond is just a starting point to build user and device trust. There
are many other components of it provided by Cisco to further enhance
and improve the trust in users and devices
Umbrella SecureX integration
Reporting
API

Enforcement
API Dashboards
CTR
Investigate Ribbon*
API Orchestration

Management
API

Insights do not include Investigate API

284
SecureX Threat Response & Umbrella Integrations
Seeing the information that comes from the various APIs

Reporting API

Investigate API

Enforcement API

285
Umbrella
Enrichment
• Local DNS requests
• Domain reputation

Response
• Block domains

Reference
• Pivot point to detailed domain, IP,
and file history

Endpoint files = AMP4E

Network traffic = NGFW
Internet requests = Umbrella
Web activity = WSA
Email messages = ESA
-----
Threat analytics = FMC/TID, Playbook?
Behavior analytics = Stealthwatch (Network traffic), CTA (Endpoint files, web activity),
Cloudlock (web activity, internet requests)
-----
Cisco identity context = ISE
Customer identity context = AD
Cisco threat intelligence = Talos/Investigate/TG
Customer threat intelligence = ??
Umbrella
Dashboard tiles
• Security block by command and
control category
• Security block by cryptomining
category
• Security block by malware
category
• Security block by phishing
category
• Request summary

289
Umbrella FE Labs
9. Secure Web Gateway
10. CASB / Cloud Malware
11. Data Loss Prevention
Day 2

12. Remote Browser Isolation

13. Operations & Troubleshooting
14. Investigate
15. APIs & Integrations
16. SecureX

290
291

2019 Mac Pro Service Technician Manual
No ratings yet
2019 Mac Pro Service Technician Manual
341 pages
Cisco SAFE Reference Guide
No ratings yet
Cisco SAFE Reference Guide
344 pages
Umbrella BDM
No ratings yet
Umbrella BDM
31 pages
Cisco Umbrella: First Line of Defense For Threats On The Internet
No ratings yet
Cisco Umbrella: First Line of Defense For Threats On The Internet
149 pages
DGTL BRKRST 2377
No ratings yet
DGTL BRKRST 2377
164 pages
Lumière: Supporting A Virtual Workspace On The Cloud Case Analysis
No ratings yet
Lumière: Supporting A Virtual Workspace On The Cloud Case Analysis
2 pages
CiscoUmbrella MessagingAndPositioning Sales 2023 PDF
No ratings yet
CiscoUmbrella MessagingAndPositioning Sales 2023 PDF
23 pages
Umbrella
No ratings yet
Umbrella
30 pages
PIW Cisco SASE and Secure Access Upate
No ratings yet
PIW Cisco SASE and Secure Access Upate
56 pages
CISCO - A Roadmap To SASE
No ratings yet
CISCO - A Roadmap To SASE
11 pages
CiscoUmbrella TDMHighlights PreSales 2023 PDF
No ratings yet
CiscoUmbrella TDMHighlights PreSales 2023 PDF
39 pages
Umbrella Comercial
No ratings yet
Umbrella Comercial
49 pages
Umbrella Secure Internet Gateway
No ratings yet
Umbrella Secure Internet Gateway
11 pages
Cisco Umbrella: Secure Internet Gateway (SIG) Essentials Package
No ratings yet
Cisco Umbrella: Secure Internet Gateway (SIG) Essentials Package
9 pages
umbrella-sig-tdm
No ratings yet
umbrella-sig-tdm
97 pages
Cisco Umbrella - Future of Cloud Security
No ratings yet
Cisco Umbrella - Future of Cloud Security
65 pages
A Roadmap To Sase Navigating The Challenges of
No ratings yet
A Roadmap To Sase Navigating The Challenges of
12 pages
sase-bdm
No ratings yet
sase-bdm
16 pages
umbrella-sig-phase1-bdm
No ratings yet
umbrella-sig-phase1-bdm
65 pages
Umbrella Feature Keys
No ratings yet
Umbrella Feature Keys
4 pages
D2S5.CloudSec (Cloudlock Umbrella)
No ratings yet
D2S5.CloudSec (Cloudlock Umbrella)
60 pages
Meraki + Umbrella Better Together: GTM Kickoff
No ratings yet
Meraki + Umbrella Better Together: GTM Kickoff
22 pages
sase-modular-tdm-deck-working-August_2023
No ratings yet
sase-modular-tdm-deck-working-August_2023
47 pages
Cisco SASE With Cisco Secure Connect Design Guide
No ratings yet
Cisco SASE With Cisco Secure Connect Design Guide
261 pages
Sase Meraki CVD - Cleaned
No ratings yet
Sase Meraki CVD - Cleaned
129 pages
Implementing Umbrella SIG
No ratings yet
Implementing Umbrella SIG
59 pages
Umbrella Secure Internet Gateway Advantage Package
No ratings yet
Umbrella Secure Internet Gateway Advantage Package
9 pages
Cisco Umbrella Secure Internet Gateway Sig Advantage Package
No ratings yet
Cisco Umbrella Secure Internet Gateway Sig Advantage Package
9 pages
350 701 SCOR v1.1
No ratings yet
350 701 SCOR v1.1
4 pages
Cisco Sdwan Design Guide
No ratings yet
Cisco Sdwan Design Guide
102 pages
Cisco SAFE Reference Guide PDF
No ratings yet
Cisco SAFE Reference Guide PDF
354 pages
5 Key Takeaways from Cisco Live - ISC2 webminar
No ratings yet
5 Key Takeaways from Cisco Live - ISC2 webminar
51 pages
SD WAN Competitive1
No ratings yet
SD WAN Competitive1
49 pages
CCDE_v3.1_Core_Technology_List_final_0523
No ratings yet
CCDE_v3.1_Core_Technology_List_final_0523
6 pages
Cisco Sdwan Design Guide
No ratings yet
Cisco Sdwan Design Guide
102 pages
CISSP Session 03
No ratings yet
CISSP Session 03
85 pages
ProductInfo 05-08-2020 0458
No ratings yet
ProductInfo 05-08-2020 0458
7 pages
350 701 Scor PDF
100% (1)
350 701 Scor PDF
4 pages
Cisco Umbrella Package Comparison: © 2021 Cisco And/or Its Affiliates. All Rights Reserved
No ratings yet
Cisco Umbrella Package Comparison: © 2021 Cisco And/or Its Affiliates. All Rights Reserved
6 pages
Sase Sse Ag
No ratings yet
Sase Sse Ag
51 pages
Umbrella Instant v2-2
100% (2)
Umbrella Instant v2-2
43 pages
cisco-sdwan-security-policy-design-guide
No ratings yet
cisco-sdwan-security-policy-design-guide
53 pages
BRKRST 2377
No ratings yet
BRKRST 2377
111 pages
PIW Cisco Secure Access SSE Overview
No ratings yet
PIW Cisco Secure Access SSE Overview
24 pages
0 ISCW Preview
No ratings yet
0 ISCW Preview
81 pages
Brkent 2006
No ratings yet
Brkent 2006
102 pages
v6 Ccie
No ratings yet
v6 Ccie
23 pages
Brochure c02 632589
No ratings yet
Brochure c02 632589
8 pages
Cicso-NGFW-Megatrends
No ratings yet
Cicso-NGFW-Megatrends
91 pages
Brksec 2236
No ratings yet
Brksec 2236
59 pages
Cisco Sdwan Design Guide
No ratings yet
Cisco Sdwan Design Guide
101 pages
CCIE Security v6 Exam Topics
No ratings yet
CCIE Security v6 Exam Topics
6 pages
cisco-sdwan-design-guide
No ratings yet
cisco-sdwan-design-guide
101 pages
Roadshow Advanced 7.2 V3.2 221004 Final
No ratings yet
Roadshow Advanced 7.2 V3.2 221004 Final
347 pages
How Modern Security Teams Fight Today's Cyber Threats - © 2022 CISCO
No ratings yet
How Modern Security Teams Fight Today's Cyber Threats - © 2022 CISCO
14 pages
Network Security and Cyber Security
No ratings yet
Network Security and Cyber Security
26 pages
Cisco Umbrella at A Glance
No ratings yet
Cisco Umbrella at A Glance
4 pages
Brksec 2129
No ratings yet
Brksec 2129
45 pages
CCSP - Certified Cloud Security Professional Exam Insights
From Everand
CCSP - Certified Cloud Security Professional Exam Insights
SUJAN
No ratings yet
Deploying and Managing Applications with DigitalOcean: Definitive Reference for Developers and Engineers
From Everand
Deploying and Managing Applications with DigitalOcean: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Cybersecurity in Cloud Computing
From Everand
Cybersecurity in Cloud Computing
Akula Achari
No ratings yet
Learning iOS Penetration Testing: Secure your iOS applications and uncover hidden vulnerabilities by conducting penetration tests
From Everand
Learning iOS Penetration Testing: Secure your iOS applications and uncover hidden vulnerabilities by conducting penetration tests
Swaroop Yermalkar
No ratings yet
Installation and Operating Instructions W FM Comwithinput Output Add On Module
No ratings yet
Installation and Operating Instructions W FM Comwithinput Output Add On Module
48 pages
Dialtronics IP PA System Data Sheet
No ratings yet
Dialtronics IP PA System Data Sheet
4 pages
Optical Isolators
100% (1)
Optical Isolators
16 pages
Hikvision Spring 2021 Can en
No ratings yet
Hikvision Spring 2021 Can en
120 pages
October 2022 IT Passport Examination
No ratings yet
October 2022 IT Passport Examination
8 pages
Operational Amplifiers
No ratings yet
Operational Amplifiers
35 pages
Resource Creation
No ratings yet
Resource Creation
10 pages
Architectural Design: ©ian Sommerville 2000 Software Engineering. Chapter 11 Slide 1
No ratings yet
Architectural Design: ©ian Sommerville 2000 Software Engineering. Chapter 11 Slide 1
65 pages
EEEB273 1112S3 Q2 QnA
No ratings yet
EEEB273 1112S3 Q2 QnA
4 pages
Eetop.cn DWC Pcie Ctl Ep Databook
No ratings yet
Eetop.cn DWC Pcie Ctl Ep Databook
942 pages
Pulse Code Modulation
No ratings yet
Pulse Code Modulation
79 pages
FP02B
No ratings yet
FP02B
3 pages
IRS Module5-I
No ratings yet
IRS Module5-I
15 pages
Lect 1 (Introduction To Web Engineering)
No ratings yet
Lect 1 (Introduction To Web Engineering)
34 pages
Wifi 6
No ratings yet
Wifi 6
2 pages
Sensorless Control Strategy of Permanent Magnet Synchronous Motor Based On Fuzzy Sliding Mode Observer
No ratings yet
Sensorless Control Strategy of Permanent Magnet Synchronous Motor Based On Fuzzy Sliding Mode Observer
10 pages
642 Other 4538 4843 10 20231215
No ratings yet
642 Other 4538 4843 10 20231215
9 pages
EEE241L - Lab 3 - Series and Parallel RLC Circuits
No ratings yet
EEE241L - Lab 3 - Series and Parallel RLC Circuits
9 pages
Stmicroelectronics Deep Sub-Micron Processes 120Nm, 90Nm, 65 NM Cmos
No ratings yet
Stmicroelectronics Deep Sub-Micron Processes 120Nm, 90Nm, 65 NM Cmos
37 pages
PS2239 Flash Support List - 2009.08.27-1
No ratings yet
PS2239 Flash Support List - 2009.08.27-1
10 pages
PW2 Study Series Connection of Two Lines With Capacite
No ratings yet
PW2 Study Series Connection of Two Lines With Capacite
6 pages
Test Driven Lasse Koskela Chapter 1: The Big Picture: Paul Ammann
No ratings yet
Test Driven Lasse Koskela Chapter 1: The Big Picture: Paul Ammann
14 pages
Vacon NX All in One Application Manual DPD00903C U
No ratings yet
Vacon NX All in One Application Manual DPD00903C U
392 pages
ODROID Magazine 201401 PDF
No ratings yet
ODROID Magazine 201401 PDF
27 pages
10 Planning and Cabling Networks
No ratings yet
10 Planning and Cabling Networks
35 pages
CASE STUDY - OOSE
No ratings yet
CASE STUDY - OOSE
11 pages
TECHNICAL_MANUAL_EL083_&_EL084_Eltav5_ENG
No ratings yet
TECHNICAL_MANUAL_EL083_&_EL084_Eltav5_ENG
7 pages
8 Auto Mobile Service Station
No ratings yet
8 Auto Mobile Service Station
25 pages

Cisco Umbrella Stage Workshop Guide PDF

Uploaded by

Cisco Umbrella Stage Workshop Guide PDF

Uploaded by

Cisco Umbrella 101

Field Engineer Course

• Module 4 – DNS • Module 9 – Operations & Troubleshooting

‣ Your First Umbrella Customer

‣ Headquarters and Branch Locations

‣ Consolidate multiple existing

‣ Long term goal of SASE

We’re seeing the network transform as:

Security must adjust to this new approach

We commissioned primary research with ESG focused on validating trends in the

Based on this research:

2009 2012 2015 2017 2019 2020

DNS DNS + Set of security

Connect it Market convergence Secure it

Content delivery/caching Cloud Access Zero Trust

• Firewall as a service (FaaS); Secure Web Gateways; Cloud

Firewall (L7 AVC; IPS) † ** | Inline DLP**

L3-L4 Firewall† | Cloud Malware Detection (two apps) |

† Qualifies for E-Rate funding

Containerized, multi-tenant Agile infrastructure delivers

Proven track record since Low latency delivers high

• Containerized, multi-tenant architecture: We disaggregate functions

New data centers in Reston,

• Aggressive data center rollout

only in U.S. (education, SAO1

government, regulated entities) CPß T 1 SYD1

business uptime M EL1

Examples of peering partnerships*

leading SaaS and IaaS providers •

While Umbrella may not have data centers in China yet

Los Angeles Santa Clara

• Delivers best availability and

• Hybrid Anycast routing – or augmented routing – looks for ways to

• Industry data integrity and protection • Cis co s tringent r equirements - Our

• ISO27001 / SOC2 – Umbrella data centers meet or exceed international and

• 400+ full-time threat

We see more so you • 5 billion reputation requests,

As mentioned a few moments ago, behind Umbrella security services is aggregated,

Massive and Security Models

• 5B daily reputation • Award winning, industry-leading • Dozens of models continuously

Simply stated: We provide unmatched threat intelligence to stop attacks earlier

• Our security researchers: They look at this data and

Example: the lexical model can attribute threats to Botnet or Phishing.

Blogs of some of our models are below:

Internet gateway Internal DNS Server

Existing Network footprint Endpoint footprint

DNS/DHCP ISR1K SD-WAN WLC Meraki AnyConnect Cisco Umbrella

NETWORK VIA EGRESS IP FOR ALL DEPLOYMENT S

Hostname (GA) Internal IPs

IPsec Proxy chain or Cisco Secure Client

HQ & Branch HQ & Branch Roaming

There are a variety of ways to send traffic to Umbrella.

Let’s look at some more details on different types of traffic.

DNS Redirection DNS Resolvers

IPsec Tunnel Cloud Delivered Internet

Numerous integration types, 3 main principles

3 main entry points into umbrella

based on this understanding, this we will start building the policies

DNS CDFW NAT

Allow -> Allow web -> SWG Port 21

CASB SWG DNS, CDFW, and SWG blocks

Allow -> allow Allow ->

Depending on the deployment method one or more policies (enforcement engines)

DNS Policy Allow

- identity in DNS and WEB

Do not replicate existing multiple match policies from the proxy

Zoom into single rules ...

Content Settings Source Tunnel Content Settings

Application Settings Source Application Settings

Selective Proxy Application Tennant Control

Leave SECURITY settings ON

DNS is control layer protocol

Consider the following :

is Selective proxy needed?

DNS Content Category WEB Content Category

• Must decide on domain alone • Classification is based on URL

Firewall (L7 AVC; IPS) † | Inline DLP